Tag: supply-chain

62 Attack Reports | 0 Vulnerabilities

Attack reports

WebAssembly Malware Found in Trojanized Open VSX Extensions

Trojanized Visual Studio Code extensions distributed via the Open VSX marketplace deliver a sophisticated WebAssembly-based attack chain. The extensions ship ChaCha20-encrypted TinyGo-compiled WebAssembly modules that poll the Solana blockchain for command-and-control instructions embedded in trans…
supply chain
webassembly
cryptocurrency targeting
open vsx
2026-06-16
chacha20 encryption
dead-drop c2
glasswasm
solana blockchain
tinygo
vs code extensions
Published: June 16, 2026
Downloadable IOCs: 11

OptinMonster supply chain attack hits 1.2 million sites

An active supply-chain attack targeted over 1.2 million WordPress sites using OptinMonster, TrustPulse, and PushEngage plugins operated by Awesome Motive. Attackers injected malicious JavaScript into legitimate files served through Awesome Motive's CDN endpoints. The malware activates when a logged…
backdoor
supply-chain
wordpress
2026-06-14
awesome motive
cdn compromise
optinmonster
pushengage
trustpulse
Published: June 14, 2026
Downloadable IOCs: 10

Four published versions of a fake "tanstack" package uploaded in 27 minutes that want to steal your .env files

An attacker registered the unscoped 'tanstack' name on npm and published four malicious versions (2.0.4-2.0.7) within 27 minutes on April 29, 2026. These packages contained postinstall hooks that automatically exfiltrated environment files containing sensitive credentials when developers ran npm in…
supply-chain
npm
2026-05-05
package-squatting
postinstall-hook
tanstack
webhook-exfiltration
Published: May 5, 2026
Downloadable IOCs: 5

PhantomRaven Wave 5: New Undocumented NPM Supply Chain Campaign Targets DeFi, Cloud, and AI Developers

A fifth wave of the PhantomRaven NPM supply chain attack campaign has been discovered, utilizing 33 new malicious packages and fresh command-and-control infrastructure registered on March 10, 2026. The operation employs a sophisticated three-stage payload delivery mechanism using Remote Dynamic Dep…
supply-chain
azure
2026-05-04
phantomraven
remote-dynamic-dependency
Published: May 4, 2026
Linked vulnerabilities : CVE-2026-31431
Downloadable IOCs: 11

Kuse Web App Abused to Host Phishing Document

Bad actors exploited Kuse, a legitimate AI-based workplace application, to conduct a phishing campaign. Attackers leveraged a Vendor Email Compromise (VEC) to send malicious emails from a trusted vendor's compromised mailbox, establishing initial trust. The attack utilized Kuse's file-sharing featu…
phishing
social engineering
supply chain
credential harvesting
fake login page
2026-04-29
ai platform abuse
markdown file
vendor email compromise
Published: April 29, 2026
Downloadable IOCs: 3

The npm Threat Landscape: Attack Surface and Mitigations

The npm ecosystem experienced a critical shift in September 2025 with the Shai-Hulud worm, marking the transition from isolated attacks to systematic supply chain compromises. In April 2026, TeamPCP launched a coordinated campaign through a malicious @bitwarden/cli package targeting multiple distri…
obfuscation
supply chain
credential harvesting
github
shai-hulud
ci/cd compromise
npm packages
worm propagation
2026-04-25
self-replicating malware
Published: April 25, 2026
Downloadable IOCs: 4

Tracking an OtterCookie Infostealer Campaign Across npm

Between April 6-9, 2026, multiple obfuscated malicious npm packages were identified as variants of the OtterCookie infostealer attributed to North Korean threat actors. The campaign employs a two-layer distribution strategy where benign wrapper packages clone legitimate libraries like big.js while …
supply-chain
north korea
infostealer
credential theft
npm
beavertail
contagious interview
invisibleferret
ssh backdoor
ottercookie
javascript obfuscation
2026-04-13
koalemos
vercel c2
Published: April 13, 2026
Downloadable IOCs: 9

Axios Front-End Library npm Supply Chain Poisoning Alert

On March 31, NSFOCUS CERT detected that the npm repository of the HTTP client library Axios was poisoned by the supply chain. The attacker bypassed the normal GitHub Actions CI/CD pipeline of the project, changed the account email address of the axios maintainer to an anonymous ProtonMail address, …
supply chain
npm
supply chain attack
axios
2026-04-01
Published: April 1, 2026
Downloadable IOCs: 1

Supply-Chain Compromise of axios npm Package

A coordinated supply chain attack targeted the axios npm package, compromising two versions (1.14.1 and 0.30.4) by injecting a malicious dependency. The attack delivered a cross-platform Remote Access Trojan to macOS, Windows, and Linux systems. The compromise occurred through the lead maintainer's…
supply-chain
credential-theft
npm
cross-platform
remote access trojan
axios
remote-access-trojan
2026-03-31
Published: March 31, 2026
Downloadable IOCs: 4

Pawn Storm Campaign Deploys PRISMEX, Targets Government and Critical Infrastructure Entities

The Russian-aligned cyber espionage group Pawn Storm has launched a new campaign using the PRISMEX malware suite to target Ukrainian defense and Western military aid infrastructure. The campaign exploits vulnerabilities CVE-2026-21509 and CVE-2026-21513, using advanced steganography, COM hijacking,…
apt28
supply chain
ukraine
steganography
nato
critical infrastructure
notdoor
CVE-2026-21509
minidoor
CVE-2026-21513
2026-03-26
prismex
prismexdrop
prismexloader
prismexstager
Published: March 26, 2026
Downloadable IOCs: 84

Malicious PyPI Package - LiteLLM Supply Chain Compromise

A malicious supply chain attack has been discovered in the Python Package Index package litellm version 1.82.8. The compromised package contains a malicious .pth file that executes automatically when the Python interpreter starts, without requiring explicit import. This file, located in site-packag…
supply chain
pypi
cloud credentials
2026-03-25
litellm
Published: March 25, 2026
Downloadable IOCs: 1

Pro-Iranian Nasir Security is Targeting The Energy Sector in the Middle East

A new cybercriminal group, Nasir Security, believed to be associated with Iran, is targeting energy organizations in the Middle East. They focus on attacking supply chain vendors involved in engineering, safety, and construction. The group emerged in October 2025 and has claimed attacks on various …
supply chain
disinformation
business email compromise
spear phishing
middle east
energy sector
2026-03-23
pro-iranian
Published: March 23, 2026
Downloadable IOCs: 0

"Handala Hack" - Unveiling Group's Modus Operandi

Handala Hack, an online persona operated by Void Manticore, is affiliated with Iranian intelligence services. The group, known for destructive wiping attacks and hack-and-leak operations, has targeted organizations in Israel, Albania, and the US. Their tactics include supply chain attacks, credenti…
supply chain
credential theft
iranian threat actor
2026-03-16
handala wiper
wiping attacks
Published: March 16, 2026
Downloadable IOCs: 7

Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran

A significant joint offensive by the US and Israel has triggered a multi-vector retaliatory campaign from Iran, leading to an escalation in cyberattacks. Iran's limited internet connectivity is likely hindering state-aligned threat actors' ability to coordinate sophisticated attacks. Hacktivist gro…
espionage
phishing
ransomware
state-sponsored
supply chain
ddos
iran
hacktivism
critical infrastructure
geopolitical conflict
2026-03-03
redalert
Published: March 3, 2026
Downloadable IOCs: 1

New malicious npm package 'ambar-src' targets developers with open source malware

A malicious npm package named "ambar-src" reached 50,000 downloads in days before being removed from the registry. It uses a preinstall script to execute malicious code during installation, targeting Windows, Linux, and macOS systems. The package employs detection evasion techniques and deploys pow…
linux
windows
supply chain
macos
npm
open-source malware
detection evasion
2026-02-27
apfell
mythicagents
preinstall script
reverse_ssh
yandex cloud
Published: February 27, 2026
Downloadable IOCs: 6

SANDWORM_MODE: Shai-Hulud-Style npm Worm Hijacks CI Workflows and Poisons AI Toolchains

An active supply chain worm campaign, dubbed SANDWORM_MODE, is spreading through typosquatting and AI toolchain poisoning across at least 19 malicious npm packages. The worm exhibits Shai-Hulud characteristics, incorporating GitHub API exfiltration with DNS fallback, hook-based persistence, SSH pro…
supply-chain
typosquatting
credential-theft
worm
exfiltration
ai
npm
github
2026-02-23
ci
sandworm_mode
Published: February 23, 2026
Downloadable IOCs: 2

Nation-State Actors Exploit Notepad++ Supply Chain

A state-sponsored threat group known as Lotus Blossom compromised the official hosting infrastructure for Notepad++ between June and December 2025. The attackers hijacked traffic to the update server, allowing them to selectively target specific users, primarily in Southeast Asia across government,…
supply chain
cobalt strike
dll sideloading
infrastructure compromise
southeast asia
chrysalis
notepad++
chrysalis backdoor
2026-02-12
infrastructure hijacking
2026-02-16
Published: February 16, 2026
Downloadable IOCs: 20

Notepad++ supply chain attack breakdown

The article details a sophisticated supply chain attack on Notepad++ that occurred from July to October 2025. Attackers compromised the update infrastructure, deploying various malicious payloads through three distinct infection chains. The attack targeted individuals and organizations in Vietnam, …
supply-chain
cobalt strike
cobalt strike beacon
dll sideloading
shellcode
nsis
mgbot
metasploit
2026-02-03
notepad++
chrysalis backdoor
Published: February 3, 2026
Downloadable IOCs: 36

Supply chain attack: what you should know

A supply chain attack targeted the eScan antivirus software, distributing malware through the update server. The attack, detected on January 20, involved a malicious Reload.exe file that initiated a multi-stage infection chain. This malware prevented further antivirus updates, ensured persistence t…
malware
supply chain
persistence
unauthorized access
scheduled tasks
digital signature
2026-01-29
escan
antivirus
consctlx.exe
reload.exe
Published: January 29, 2026
Downloadable IOCs: 7

Hunting Lazarus: Inside the Contagious Interview C2 Infrastructure

A North Korean malware was discovered in an Upwork cryptocurrency project, leading to a five-day investigation into active Lazarus Group infrastructure. The malware utilized three infection mechanisms: VSCode auto-execution, backend RCE via Function Constructor, and cookie payload delivery. The inf…
backdoor
obfuscation
north korea
xmrig
cryptocurrency
supply chain
tsunami
beavertail
vercel
2026-01-15
upwork
vynlence
Published: January 15, 2026
Downloadable IOCs: 8

Malicious NPM Packages Deliver NodeCordRAT

Three malicious npm packages were discovered in November 2025, designed to deliver and install a new RAT malware family named NodeCordRAT. The packages, bitcoin-main-lib, bitcoin-lib-js, and bip40, mimicked legitimate Bitcoin-related libraries to deceive developers. NodeCordRAT uses Discord for com…
supply-chain
credential-theft
cryptocurrency
npm
2026-01-08
nodecordrat
Published: January 8, 2026
Downloadable IOCs: 0

Malicious VSCode Extension Launches Multi-Stage Attack Chain with Anivia Loader and OctoRAT

A malicious Visual Studio Code extension named 'prettier-vscode-plus' was discovered on the official VSCode Marketplace, impersonating the legitimate Prettier formatter. This extension served as the entry point for a multi-stage malware chain, starting with the Anivia loader, which decrypted and ex…
supply-chain
developers
process-hollowing
extension
multi-stage
vscode
uac-bypass
2025-12-04
remote-access-toolkit
anivia
octorat
Published: December 4, 2025
Downloadable IOCs: 8

Bootstrap script exposes PyPI to domain takeover attacks

A vulnerability in legacy Python packages could enable an attack on PyPI through a domain compromise. The issue stems from bootstrap files for a build tool that installs the 'distribute' package, which fetch and execute an installation script from a now-available domain. Affected packages include t…
supply chain
vulnerability
open-source
pypi
domain takeover
bootstrap script
2025-12-03
python packaging
Published: December 3, 2025
Linked vulnerabilities : CVE-2023-45311
Downloadable IOCs: 2

Shai-Hulud V2 Poses Risk to NPM Supply Chain

A second wave of the Shai-Hulud malware campaign, dubbed 'The Second Coming', has emerged targeting the npm ecosystem. This advanced software supply chain attack has compromised over 700 npm packages and created more than 27,000 malicious GitHub repositories. Shai-Hulud V2 introduces critical advan…
backdoor
supply chain
worm
exfiltration
credential theft
github
2025-12-03
shai-hulud v2
Published: December 3, 2025
Downloadable IOCs: 3

Shai-hulud 2.0 Campaign Targets Cloud and Developer Ecosystems

The Shai-hulud 2.0 campaign features an advanced malware variant that steals credentials and secrets from major cloud platforms and developer services. It automates the backdooring of NPM packages maintained by victims, enabling rapid propagation across the software supply chain. The malware target…
supply chain
cloud
credential theft
azure
npm
aws
github
shai-hulud
2025-11-27
gcp
Published: November 27, 2025
Downloadable IOCs: 6

Water APT Multi-Stage Attack Uncovered

A sophisticated multi-stage attack attributed to the Water Gamayun APT group has been analyzed. The attack begins with a compromised legitimate website redirecting to a lookalike domain, delivering a double-extension RAR payload disguised as a PDF. This payload exploits the MSC EvilTwin vulnerabili…
supply-chain
obfuscation
apt
powershell
rhadamanthys
zero-day
CVE-2025-26633
msc eviltwin
encrypthub
darkwisp
silentprism
russia-aligned
2025-11-26
Published: November 26, 2025
Linked vulnerabilities : CVE-2025-26633 (CVSS 7.0)
Downloadable IOCs: 4

Build script exposes PyPI to domain takeover attacks

ReversingLabs researchers discovered vulnerable code in legacy Python packages that could enable an attack on the Python Package Index (PyPI) via a domain compromise. The vulnerability lies in bootstrap files for a build tool that installs the Python package 'distribute' and performs other tasks. W…
python
supply chain
vulnerability
pypi
2025-11-24
packaging
legacy code
domain takeover
CVE-2023-45311
bootstrap script
Published: November 24, 2025
Linked vulnerabilities : CVE-2023-45311
Downloadable IOCs: 0

APT24 Pivot to Multi-Vector Attacks

APT24, a Chinese threat actor, has conducted a three-year cyber espionage campaign using BADAUDIO, a highly obfuscated first-stage downloader. The group has evolved from broad strategic web compromises to more sophisticated tactics, including supply chain attacks and targeted phishing. They comprom…
obfuscation
phishing
supply chain
cobalt strike
china
cobalt strike beacon
cyber espionage
2025-11-20
badaudio
strategic web compromise
Published: November 20, 2025
Downloadable IOCs: 0

Remote access, real cargo: cybercriminals targeting trucking and logistics

Cybercriminals are targeting trucking and logistics companies to steal cargo freight through elaborate attack chains. They compromise companies and use their access to bid on cargo shipments, which they then steal and sell. The threat actors typically deliver remote monitoring and management (RMM) …
screenconnect
phishing
social engineering
supply chain
lumma stealer
cybercrime
danabot
netsupport
stealc
simplehelp
fleetdeck
n-able
pdq connect
logistics
2025-11-03
cargo theft
logmein resolve
trucking
remote monitoring tools
Published: November 3, 2025
Downloadable IOCs: 39

Suspected Nation-State Threat Actor Uses New Airstalk Malware in a Supply Chain Attack

A new Windows-based malware family called Airstalk has been discovered, available in PowerShell and .NET variants. It is believed to be used by a nation-state threat actor in a supply chain attack. Airstalk misuses the AirWatch API for mobile device management to establish covert command-and-contro…
supply chain
nation-state
2025-10-29
airstalk
Published: October 29, 2025
Downloadable IOCs: 6

Malicious PyPI Packages Deliver SilentSync RAT

Two malicious Python packages, sisaws and secmeasure, were discovered in the Python Package Index (PyPI) repository. These packages, created by the same author, deliver a Remote Access Trojan (RAT) called SilentSync. The RAT is capable of remote command execution, file exfiltration, screen capturin…
rat
python
typosquatting
supply chain
data theft
remote access
pypi
data-exfiltration
supply-chain-attack
browser-data-theft
2025-09-18
silentsync
2025-09-19
python packages
Published: September 19, 2025
Downloadable IOCs: 0

"Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack

A widespread software supply chain attack targeting the Node Package Manager (npm) ecosystem has been discovered, involving a novel self-replicating worm called "Shai-Hulud". The worm has compromised over 180 software packages, including widely used libraries. It operates by harvesting credentials,…
phishing
supply chain
worm
javascript
credential harvesting
npm
self-replicating
shai-hulud
2025-09-18
Published: September 18, 2025
Downloadable IOCs: 1

Self-replicating Shai-hulud worm spreads token stealing malware on npm

A self-replicating worm named Shai-hulud has been detected on the npm registry, spreading through compromised developer accounts and injecting malicious code into legitimate packages. The worm steals cloud service tokens, primarily targeting npm, GitHub, AWS, and GCP. It also installs Trufflehog to…
supply-chain
worm
npm
open-source
2025-09-16
self-replicating
shai-hulud
package-compromise
token-stealing
Published: September 16, 2025
Downloadable IOCs: 0

Widespread Data Theft Targets Salesforce Instances via Salesloft Drift - Hunting pulse

A widespread data theft campaign, conducted by UNC6395, targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift application. The actor systematically exported large volumes of data from numerous corporate Salesforce instances, focusing on harvesti…
supply chain
data theft
credential harvesting
salesforce
2025-09-08
oauth tokens
salesloft drift
Published: September 8, 2025
Linked vulnerabilities : CVE-2025-53690
Downloadable IOCs: 8

Supply Chain Risk in Python: Termcolor and Colorama Explained

A suspicious Python package named termncolor was discovered, which imports a malicious dependency called colorinal. This multi-stage malware operation leverages DLL sideloading to decrypt payloads, establish persistence, and conduct command-and-control communication, ultimately leading to remote co…
supply-chain
python
persistence
pypi
dll-sideloading
2025-08-16
c2-communication
zulip
termncolor
colorinal
Published: August 16, 2025
Downloadable IOCs: 0

NET RFQ: Request for Quote Scammers Casting Wide Net to Steal Real Goods

This intelligence analysis examines a widespread Request for Quote (RFQ) scam that exploits Net financing options to steal high-value electronics and goods. The scammers pose as procurement agents for legitimate companies, using stolen information and lookalike domains to appear credible. They requ…
social engineering
supply chain
business email compromise
2025-07-23
rfq scam
electronics theft
net financing fraud
Published: July 23, 2025
Downloadable IOCs: 94

Stealthy GitHub Malware Campaign Targets Devs

A new campaign exploiting GitHub to distribute malicious Python code disguised as legitimate hacking tools has been uncovered. The operation, attributed to the group known as Banana Squad, used 67 repositories hosting trojanized files that mimicked benign open-source projects. The attackers exploit…
backdoor
python
supply chain
repositories
open-source
github
2025-06-19
trojanized files
encoding
Published: June 19, 2025
Downloadable IOCs: 2

Clone, Compile, Compromise: Open-Source Malware Trap on GitHub

A newly identified threat actor, Water Curse, is exploiting GitHub to deliver weaponized repositories containing multistage malware. The group has been linked to at least 76 GitHub accounts, targeting cybersecurity professionals, game developers, and DevOps teams. Their malware enables data exfiltr…
supply chain
persistence
privilege escalation
data exfiltration
open-source
github
anti-debugging
2025-06-16
backdoor.js.dullrat
multistage malware
Published: June 16, 2025
Downloadable IOCs: 0

How Interlock Ransomware Affects the Defense Industrial Base Supply Chain

Interlock Ransomware has recently targeted National Defense Corporation and its subsidiaries, impacting the defense industrial base supply chain. The group's attack on AMTEC, a manufacturer of ammunition and explosives, has exposed sensitive information about global defense contractors and their su…
supply chain
data leak
double extortion
interlock ransomware
2025-05-16
defense industrial base
national security
cmmc
geopolitical influence
intellectual property
Published: May 16, 2025
Downloadable IOCs: 11

Lazarus APT updates its toolset in watering hole attacks

The Lazarus group has launched a sophisticated attack campaign dubbed 'Operation SyncHole' targeting South Korean organizations. The operation combines watering hole attacks with exploitation of vulnerabilities in South Korean software. At least six organizations in the software, IT, financial, sem…
apt
supply chain
south korea
vulnerability exploitation
watering hole
2025-04-24
copperhedge
signbt
threatneedle
agamemnon downloader
wagent
Published: April 24, 2025
Downloadable IOCs: 0

PoisonSeed Campaign Targets CRM and Bulk Email Providers in Supply Chain Spam Operation

A new threat group, dubbed PoisonSeed, is targeting enterprise organizations and individuals outside the cryptocurrency industry. The campaign focuses on phishing CRM and bulk email providers' credentials to export email lists and send bulk spam. The attackers use a cryptocurrency seed phrase poiso…
phishing
cryptocurrency
supply chain
2025-04-04
2025-04-07
crm
coinbase
bulk email
ledger
seed phrase poisoning
Published: April 7, 2025
Downloadable IOCs: 45

Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream

In January 2025, a Managed Service Provider administrator was targeted by a sophisticated phishing attack impersonating a ScreenConnect authentication alert. The attackers, affiliated with Qilin ransomware and tracked as STAC4365, used an adversary-in-the-middle technique to bypass multi-factor aut…
screenconnect
phishing
ransomware
supply chain
mfa bypass
qilin
CVE-2023-27532
2025-04-01
evilginx
stac4365
msp
Published: April 1, 2025
Downloadable IOCs: 0

Call It What You Want: Threat Actor Delivers Highly Targeted Multistage Polyglot Malware

A highly targeted email-based campaign was identified, focusing on aviation and satellite communications organizations in the United Arab Emirates. The campaign utilized a compromised entity to send customized malicious messages, leading to the discovery of a new backdoor named Sosano. This malware…
backdoor
supply-chain
apt
targeted
2025-03-04
satellite
sosano
Published: March 4, 2025
Downloadable IOCs: 0

Targeted activity UAC-0212 against developers and suppliers of automation and process control solutions

In 2024-2025, UAC-0212, a subcluster of UAC-0002 (Sandworm), launched targeted cyberattacks against Ukrainian critical infrastructure and related industries. The actor employed new tactics, exploiting CVE-2024-38213 to deliver malware through PDF documents. Tools like SECONDBEST, EMPIREPAST, SPARK,…
sandworm
supply chain
CVE-2024-38213
2025-02-26
crookbag
Published: February 26, 2025
Linked vulnerabilities : CVE-2024-38213 (CVSS 6.5)
Downloadable IOCs: 112

Unpacking the BADBOX Botnet

The BADBOX botnet, a newly discovered threat, targets Android devices, including high-end models like Yandex 4K QLED TVs. Over 190,000 infected devices have been observed, with malware often pre-installed from the factory or further down the supply chain. Using Censys, a suspicious SSL/TLS certific…
android
supply chain
iot
botnet
badbox
firmware
2025-02-05
censys
ssh host key
ssl/tls certificate
Published: February 5, 2025
Downloadable IOCs: 19

Targeted supply chain attack against Chrome browser extensions

In December 2024, a threat actor successfully compromised around a dozen legitimate Chrome browser extensions by exploiting extension developers' permissions gained through phishing attacks. The malicious code injected into the compromised extensions aimed to harvest sensitive user data like API ke…
phishing
supply chain
credentials
browser extensions
2025-01-22
data harvesting
Published: January 22, 2025
Downloadable IOCs: 80

Supply chain of Korean VPN service compromised

ESET researchers have uncovered a supply-chain attack against a South Korean VPN provider by a previously unknown China-aligned APT group named PlushDaemon. The attackers replaced the legitimate VPN installer with a malicious version that deployed their SlowStepper backdoor, a feature-rich implant …
backdoor
supply-chain
apt
espionage
china
south korea
vpn
2025-01-22
slowstepper
Published: January 22, 2025
Downloadable IOCs: 0

North Korean group targets nuclear-related organization with new malware

The Lazarus group has evolved its infection chain by targeting employees of a nuclear-related organization with a combination of new and old malware. The attack involved delivering malicious archive files containing trojanized VNC utilities and various malware strains including Ranid Downloader, MI…
supply chain
modular malware
2024-12-19
lpeclient
wordpress c2
cookietime
deathnote campaign
rollmid
servicechanger
ranid downloader
charamel loader
nuclear
trojanized vnc
mistpen
cookieplus
Published: December 19, 2024
Linked vulnerabilities : CVE-2019-0859, CVE-2019-0797
Downloadable IOCs: 1

BADBOX Botnet Is Back

The BADBOX botnet, previously thought to be contained, has resurfaced with increased scope and sophistication. Recent findings reveal over 192,000 infected devices, including high-end Yandex 4K QLED Smart TVs and Hisense smartphones, expanding beyond the initially targeted off-brand Android devices…
malware
android
supply chain
botnet
proxy
ad fraud
triada
2024-12-17
badbox
firmware
smart tv
Published: December 17, 2024
Downloadable IOCs: 22

An NPM and PyPI Malicious Campaign Targeting Windows Users

Datadog Security Research has uncovered an ongoing supply chain attack targeting both npm and PyPi package repositories, tracked as MUT-8694. This campaign uses malicious packages to deliver infostealer malware to Windows users, leveraging legitimate services like GitHub and repl.it for payload hos…
supply-chain
typosquatting
infostealer
npm
pypi
2024-11-26
roblox
Published: November 26, 2024
Downloadable IOCs: 11

Fake North Korean IT Worker Linked to BeaverTail Video Conference App Phishing Attack

Unit 42 researchers identified a North Korean IT worker activity cluster, CL-STA-0237, involved in phishing attacks using malware-infected video conference apps. The cluster likely operates from Laos and exploited a U.S.-based SMB IT services company to apply for other jobs, securing a position at …
phishing
north korea
supply chain
beavertail
contagious interview
invisibleferret
wagemole
2024-11-15
insider threat
fake it workers
Published: November 15, 2024
Downloadable IOCs: 6

Supply Chain Attack Using Ethereum Smart Contracts to Distribute Multi-Platform Malware

A sophisticated supply chain attack has been discovered targeting the NPM ecosystem. The malicious package 'jest-fet-mock' impersonates popular testing utilities and uses Ethereum smart contracts for command-and-control operations. This cross-platform malware affects Windows, Linux, and macOS, exec…
supply-chain
typosquatting
c2
npm
multi-platform
2024-11-05
blockchain
development-tools
smart-contract
ethereum
jest-fet-mock
Published: November 5, 2024
Downloadable IOCs: 4

Cryptocurrency Enthusiasts Targeted in Multi-Vector Supply Chain Attack

A sophisticated malware campaign targeting cryptocurrency enthusiasts has been uncovered, utilizing multiple attack vectors including a malicious Python package on PyPI and deceptive GitHub repositories. The multi-stage malware, disguised as cryptocurrency trading tools, aims to steal sensitive dat…
supply-chain
cryptocurrency
data-theft
social-engineering
pypi
github
2024-11-04
multi-stage
gui
cryptoaitools
Published: November 4, 2024
Downloadable IOCs: 2

BORN Group Supply Chain Breach: In-Depth Analysis of Jenkins Exploitation

This analysis examines a substantial supply chain assault on the IT service provider BORN Group. The cybercriminal Intelbroker leveraged a vulnerability (CVE-2024-23897) to breach BORN Group's infrastructure, leading to the exfiltration of sensitive information from various clients. Furthermore, In…
supply chain
github
2024-08-23
Published: August 23, 2024
Linked vulnerabilities : CVE-2024-23897
Downloadable IOCs: 5

Persistent npm Campaign Shipping Trojanized jQuery

The report describes a persistent supply chain attack involving the distribution of a trojanized version of jQuery through various platforms like npm and GitHub. The malicious jQuery variant, containing a modified 'end' function, exfiltrates website form data by sending it to remote URLs controlled…
malware
supply chain
exfiltration
npm
github
2024-07-10
Published: July 10, 2024
Downloadable IOCs: 67

Exposing Attack Operations Utilizing PyPI Against Windows, Linux and macOS Platforms

The report details the APT-C-26 (Lazarus) group's recent attack campaign utilizing malicious Python packages hosted on the PyPI repository to deliver payloads targeting multiple platforms including Windows, Linux, and macOS. It analyzes the attack flow, delivery methods, and malware components invo…
malware
apt
supply chain
lazarus
2024-07-08
pypi
comebacker
cross-platform
Published: July 8, 2024
Downloadable IOCs: 28

Supply Chain Compromise Leads to Trojanized Installers

Rapid7 discovered that installers for Notezilla, RecentX, and Copywhiz hosted on conceptworld[.]com were trojanized to execute information-stealing malware. The malware can steal browser credentials, crypto wallet info, clipboard data, and keystrokes, as well as download additional payloads. Rapid7…
supply-chain
2024-07-01
notezilla
copywhiz
recentx
Published: July 1, 2024
Downloadable IOCs: 27

Polyfill supply chain attack hits 100K+ sites

A malicious Chinese entity acquired control over the popular Polyfill JS open-source project and has been injecting malware into over 100,000 websites that embed the polyfill.io content delivery network. The malware redirects mobile users to a fraudulent sports betting site hosted on a domain imper…
malvertising
supply chain
2024-06-27
polyfill.js
redirection
Published: June 27, 2024
Downloadable IOCs: 7

Malicious npm package targets AWS users

ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
backdoor
supply-chain
2024-06-27
npm
aws
Published: June 27, 2024
Downloadable IOCs: 3

Uncovering Espionage Operations

This comprehensive analysis delves into the intricate tactics employed by a suspected China-nexus cyber espionage actor, UNC3886. The report unveils the group's sophisticated exploitation of zero-day vulnerabilities and their deployment of rootkits like REPTILE and MEDUSA for persistent system acce…
espionage
rootkit
supply chain
zero-day
2024-06-24
CVE-2022-42475
CVE-2023-20867
CVE-2023-34048
CVE-2022-41328
CVE-2022-22948
virtualsphere
Published: June 24, 2024
Linked vulnerabilities : CVE-2023-20867, CVE-2022-41328, CVE-2022-22948, CVE-2023-34048, CVE-2022-42475
Downloadable IOCs: 39

Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor

Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
backdoor
supply-chain
typosquatting
2024-06-06
cobaltstrike
malicious-installer
Published: June 6, 2024
Downloadable IOCs: 11

CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack

Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
backdoor
supply chain
CVE-2024-4978
2024-05-24
credential harvesting
installer
stealc infostealer
software
gatedoor/rustdoor
Published: May 24, 2024
Linked vulnerabilities : CVE-2024-4978 (CVSS 8.4)
Downloadable IOCs: 10
Click here to see more Attack Reports