Tag: supply chain attack

25 Attack Reports | 0 Vulnerabilities

Attack reports

NuGet malware targets crypto wallets, OAuth tokens

ReversingLabs discovered malicious packages on NuGet targeting the crypto ecosystem. The campaign, starting in July 2025, involved 14 packages impersonating legitimate crypto-related tools. The malware aimed to steal crypto funds by redirecting transactions or exfiltrating secrets for wallet access…
cryptocurrency
supply chain attack
oauth
homoglyphs
2025-12-17
coinbase.net.api
googleads.api
netherеum.all
nuget
version bumping
wallet stealer
Published: December 17, 2025
Downloadable IOCs: 0

Defending Against Sha1-Hulud: The Second Coming

A new variant of the NPM supply chain attack, dubbed Sha1-Hulud, has emerged with enhanced capabilities. Unlike its predecessor, this attack executes in the preinstall phase, targeting popular packages such as Postman, Zapier, and AsyncAPI. The malware harvests credentials across AWS, Azure, and GC…
persistence
npm
supply chain attack
package compromise
2025-11-27
github actions
sha1-hulud
cloud credentials
software development
Published: November 27, 2025
Downloadable IOCs: 3

Shai-Hulud 2.0: Aggressive & Automated, One Of Fastest Spreading NPM Supply Chain Attacks Ever Observed

In November 2025, security researchers identified Shai-Hulud 2.0, an aggressive and automated supply-chain attack targeting the npm ecosystem. This second wave of the Shai-Hulud campaign demonstrated unprecedented automation and propagation speed, compromising hundreds of npm packages within hours.…
backdoor
worm
credential harvesting
npm
github
automation
supply-chain attack
2025-11-27
shai-hulud 2.0
Published: November 27, 2025
Downloadable IOCs: 4

The Evolution of Qilin RaaS

Qilin ransomware is used for domain-wide encryption, and a ransom is then demanded for the decryption keys and/or to prevent the publication of the stolen data. Qilin affiliates are recruited from cybercrime forums to use the Qilin RaaS platform, which handles payload generation, the publication of…
phishing
ransomware
bitcoin
qilin
ryuk
raas
tor
supply chain attack
nova
2025-10-08
onion
fin12
alphvblackcat
kela
agenda
wikileaks
Published: October 8, 2025
Downloadable IOCs: 5

Shai-Hulud worm infects npm packages

A self-propagating malware called Shai-Hulud has infected over 500 npm packages, including one with over two million weekly downloads. The worm steals sensitive data, exposes private repositories, and hijacks victim credentials to spread further. It executes when an infected package is installed, c…
worm
data-theft
npm
github
supply-chain-attack
package-infection
shai-hulud
2025-09-25
self-propagating
Published: September 25, 2025
Downloadable IOCs: 0

Malicious PyPI Packages Deliver SilentSync RAT

Two malicious Python packages, sisaws and secmeasure, were discovered in the Python Package Index (PyPI) repository. These packages, created by the same author, deliver a Remote Access Trojan (RAT) called SilentSync. The RAT is capable of remote command execution, file exfiltration, screen capturin…
rat
python
typosquatting
supply chain
data theft
remote access
pypi
data-exfiltration
supply-chain-attack
browser-data-theft
2025-09-18
silentsync
2025-09-19
python packages
Published: September 19, 2025
Downloadable IOCs: 0

Ethereum smart contracts used to push malicious code on npm

A novel technique utilizing Ethereum smart contracts was discovered in two npm packages to conceal malicious commands for installing downloader malware. The packages, colortoolsv2 and mimelib2, are part of a larger campaign targeting npm and GitHub. The attackers created sophisticated GitHub reposi…
social engineering
cryptocurrency
npm
supply chain attack
ethereum
2025-09-04
smart contracts
colortoolsv2
mimelib2
Published: September 4, 2025
Downloadable IOCs: 0

Google and Microsoft Trusted Them. 2.3 Million Users Installed Them. They Were Malware.

A coordinated campaign of 18 malicious browser extensions infected 2.3 million users across Chrome and Edge. These extensions, including a color picker tool, appeared legitimate with verified badges and high install counts. The RedDirection campaign implemented sophisticated browser hijacking mecha…
supply chain attack
chrome
edge
browser extension
2025-07-10
reddirection
trust exploitation
verification bypass
Published: July 10, 2025
Downloadable IOCs: 7

Malicious pull request infects VS Code extension

A VS Code extension for Ethereum smart contract development, ETHcode, was compromised through a GitHub pull request. The attacker, using a newly created account, submitted a PR that introduced a malicious dependency and code to execute it. The compromise was subtle, involving only two lines of code…
github
vs code
supply chain attack
ethereum
javascript obfuscation
2025-07-09
ethcode
keythereum-utils
pull request
Published: July 9, 2025
Downloadable IOCs: 0

Threat actor Banana Squad exploits GitHub repos in new campaign

ReversingLabs researchers have uncovered a new campaign by the threat actor Banana Squad, involving over 60 GitHub repositories containing hundreds of trojanized Python files. The attackers create fake user accounts to host malicious repositories that mimic legitimate ones, using a technique that h…
backdoor
python
open-source
github
stealth techniques
supply chain attack
software supply chain
open-source security
code obfuscation
2025-06-19
2025-06-20
trojanized repositories
Published: June 20, 2025
Downloadable IOCs: 275

Beware of AI Pickpockets: Pickai Backdoor Spreading Through ComfyUI Vulnerability

A new backdoor named Pickai is exploiting ComfyUI vulnerabilities to spread and steal sensitive AI data. Developed in C++, Pickai offers remote command execution and reverse shell capabilities with strong persistence and evasion techniques. It uses multiple C2 servers for redundancy and has infecte…
backdoor
evasion
vulnerability
persistence
c2
supply chain attack
2025-06-13
pickai
comfyui
ai data theft
Published: June 13, 2025
Downloadable IOCs: 9

PyPI Supply Chain Attack Uncovered: Colorama and Colorizr Name Confusion

A malicious package campaign targeting Python and NPM users on Windows and Linux has been discovered. The attack uses typo-squatting and name-confusion tactics against the popular colorama Python package and the similar colorizr JavaScript package. Multiple packages with risky payloads were uploade…
typosquatting
remote-access
npm
pypi
data-exfiltration
supply-chain-attack
2025-06-02
colorama
colorizr
Published: June 2, 2025
Downloadable IOCs: 2

Malicious attack method on hosted ML models now targets PyPI

A new malicious campaign has been discovered targeting the Python Package Index (PyPI) by exploiting the Pickle file format in machine learning models. Three malicious packages posing as an Alibaba AI Labs SDK were detected, containing infostealer payloads hidden inside PyTorch models. The packages…
infostealer
ai
pypi
machine learning
supply chain attack
pytorch
2025-05-26
pickle format
Published: May 26, 2025
Downloadable IOCs: 2

Backdoor implant discovered on PyPI posing as debugging utility

A sophisticated malicious package named 'dbgpkg' was detected on PyPI, masquerading as a Python debugging utility. The package implants a backdoor on systems, enabling execution of malicious code and data exfiltration. It uses function wrapping techniques to evade detection and is believed to be pa…
backdoor
russia
ukraine
pypi
supply chain attack
hacktivist
2025-05-15
dbgpkg
function wrapping
global socket toolkit
requestsdev
discordpydebug
Published: May 15, 2025
Downloadable IOCs: 0

PyPI package targets Solana developers

A malicious PyPI package named solana-token has been discovered targeting Solana blockchain developers. The package, downloaded over 600 times, attempts to steal source code and developer secrets from infected machines. It uses suspicious behaviors like communicating with IP addresses on non-standa…
infostealer
cryptocurrency
exfiltration
open-source
pypi
blockchain
supply-chain-attack
2025-05-13
solana
solana-token
Published: May 13, 2025
Downloadable IOCs: 0

Disruption of Drone Supply Chains Through Coordinated Multi-Wave Attacks in Taiwan

Earth Ammit, a Chinese-linked threat actor, conducted two campaigns targeting drone supply chains in Taiwan and South Korea from 2023 to 2024. The VENOM campaign focused on software service providers using open-source tools, while TIDRONE targeted military industries with custom malware. Their tact…
south korea
taiwan
supply chain attack
2025-05-13
drone industry
venom campaign
custom backdoor
screencap
fiber-based
clntend
venfrpc
cxclnt
tidrone campagin
military sector
Published: May 13, 2025
Downloadable IOCs: 29

wget to Wipeout: Malicious Go Modules Fetch Destructive Payload

Socket's research team discovered a supply-chain attack targeting Go developers through three malicious modules: prototransform, go-mcp, and tlsproxy. These modules used obfuscation techniques to deliver a disk-wiping payload, exploiting the open nature of Go's ecosystem. The attack leveraged names…
linux
obfuscation
data destruction
2025-05-02
supply-chain attack
disk-wiper
go modules
namespace confusion
Published: May 2, 2025
Downloadable IOCs: 2

Malicious PyPi Package Detected Stealing Crypto Tokens

A malicious PyPI package named ccxt-mexc-futures has been discovered by security researchers. This package claims to extend the capabilities of the legitimate CCXT library for cryptocurrency trading, specifically for futures trading on the MEXC exchange. However, it actually hijacks user orders and…
cryptocurrency
pypi
supply-chain-attack
2025-04-16
api-hijacking
ccxt
mexc
Published: April 16, 2025
Downloadable IOCs: 2

Typosquatted Go Packages Deliver Malware Loader Targeting Li...

A malicious campaign is targeting the Go ecosystem with typosquatted packages that install hidden loader malware on Linux and macOS systems. The threat actor has published at least seven packages impersonating popular Go libraries, using array-based string obfuscation to hide malicious commands. Th…
linux
obfuscation
typosquatting
macos
supply-chain-attack
2025-04-04
elf-malware
go-packages
f0eee999
Published: April 4, 2025
Downloadable IOCs: 0

Over 150K websites hit by full-page hijack linking to Chinese gambling sites

In February, C/Side uncovered a threat actor targeting over 35,000 websites with a malicious full-page hijack injection. C/Side continued to monitor this actor’s activities and have identified new tactics and techniques. They’ve scaled up their operations significantly, as we now estimate that appr…
javascript
cyber
chinese
credit card skimmer
supply chain attack
magecart
2025-03-27
february
blog
c/side
client-side
web
development
client/side
cyber security
security
pci dss v4
browser attack
formjacking
website vulnerability scanner
data breaches
content security policies
tag manager
browser side script
javascript security
html entity
uiux changesthe
bet365
english
williamhill
id parameter
css position
Published: March 27, 2025
Downloadable IOCs: 15

From Credit Card Skimming to Exploiting Zero-Days

XE Group, a cybercriminal organization active since 2013, has evolved from credit card skimming to exploiting zero-day vulnerabilities. The group initially focused on web vulnerabilities and supply chain attacks but has now shifted to targeted information theft in manufacturing and distribution sec…
powershell
zero-day
meterpreter
aspxspy
webshell
supply-chain-attack
2025-02-03
CVE-2024-57968
CVE-2025-25181
information-theft
remote-access-trojan
sql-injection
persistent-access
Published: February 3, 2025
Linked vulnerabilities : CVE-2024-57968 (CVSS 9.9), CVE-2025-25181 (CVSS 5.8), CVE-2019-18935, CVE-2017-9248
Downloadable IOCs: 17

Compromised ultralytics PyPI package delivers crypto coinminer

A malicious version of the popular AI library ultralytics was published on PyPI, containing downloader code for the XMRig coinminer. The compromise was achieved by exploiting a known GitHub Actions script injection. Two versions, 8.3.41 and 8.3.42, were affected before a clean version 8.3.43 was re…
xmrig
coinminer
pypi
2024-12-07
ultralytics
supply-chain-attack
Published: December 7, 2024
Downloadable IOCs: 0

Differential analysis raises red flags over @lottiefiles/lottie-player

ReversingLabs researchers discovered malicious versions of the popular npm package @lottiefiles/lottie-player. Versions 2.0.5, 2.0.6, and 2.0.7 were compromised and used to spread malicious code designed to steal crypto wallet assets. The attackers altered the lottie-player.js file, replacing its c…
npm
cryptocurrency theft
supply chain attack
2024-11-22
package compromise
open-source security
differential analysis
Published: November 22, 2024
Downloadable IOCs: 0

Threat Assessment: Distributors of BlackSuit Ransomware

Ignoble Scorpius, previously known as Royal ransomware, has rebranded as BlackSuit ransomware and increased its activity since March 2024. The group has targeted at least 93 victims globally, with a focus on the construction and manufacturing industries. Their initial ransom demands average 1.6% of…
ransomware
extortion
cobalt strike
credential theft
gootloader
lateral movement
mimikatz
data exfiltration
blacksuit
systembc
supply chain attack
2024-11-20
nanodump
Published: November 20, 2024
Downloadable IOCs: 2

Triad Nexus: FUNNULL CDN hosting DGA domains for suspect Chinese sites

Silent Push has uncovered a large-scale malicious infrastructure dubbed 'Triad Nexus' hosted on the FUNNULL content delivery network. The investigation revealed over 200,000 unique hostnames, with 95% created using Domain Generation Algorithms. FUNNULL is linked to hosting suspect gambling websites…
phishing
dga
gambling
2024-10-23
supply chain attack
funnull
triad nexus
suncity group
cdn
Published: October 23, 2024
Downloadable IOCs: 70
Click here to see more Attack Reports