Tag

Supply Chain Attack

All articles tagged with #supply chain attack

security2 days ago•3 min saved

TrapDoor Strikes npm, PyPI, and Crates.io with Cross-Ecosystem Credential-Stealing Malware

A coordinated TrapDoor campaign targets npm, PyPI, and Crates.io, distributing 34 malicious packages across hundreds of versions to steal developer secrets, crypto wallets, SSH keys, cloud credentials, and environment data. npm payloads run trap-core.js to harvest credentials and establish persistence via cron, systemd, Git hooks, and SSH lateral movement; Rust crates search keystores and exfiltrate data to GitHub Gists; Python packages auto-execute on import and fetch a remote JavaScript payload executed via node -e. The attack also hides instructions in .cursorrules and CLAUDE.md to trick AI tools through PRs, signaling an evolution of developer-workflow attacks across multiple ecosystems.

via The Hacker News|

#cratesio #credential-theft #npm

security3 days ago•4 min saved

Git tag hijack turns Laravel Lang releases into credential-stealing malware

Attackers rewrote GitHub release tags across four Laravel Lang repositories to point to malicious commits, introducing a dropper in src/helpers.php that downloads a cross-platform credential stealer from flipboxstudio.info. The malware harvests cloud credentials, tokens, SSH keys, and more, with a Windows payload that drops a base64-encoded executable (DebugElevator) to steal browser data and encryption keys. Packagist removed the malicious versions; developers should audit installed versions, rotate credentials, scan for indicators of compromise, and watch for outbound connections to flipboxstudio.info.

via BleepingComputer|

#composer #credential-stealer #git-tag-hijack

cybersecurity3 days ago•5 min saved

Massive Laravel-Lang Breach Sparks Cross-Platform Credential Theft

Security researchers warn of a broad compromise of Laravel-Lang PHP packages (laravel-lang/lang, http-statuses, attributes, actions) that injected a malicious src/helpers.php into autoloaded vendor files. The attack involved rapid tagging of 700+ package versions in May 2026, suggesting access to the Laravel Lang release infrastructure. The embedded dropper runs on startup and delivers a ~5,900-line PHP credential stealer that exfiltrates cloud tokens, service credentials, browser data, VPN configs and more to flipboxstudio.info, encrypts results with AES-256, and self-deletes. Windows uses a Visual Basic Script launcher; Linux/macOS execute the payload via shell. Remediation includes auditing dependencies, rotating credentials, upgrading to clean versions, and monitoring for indicators of compromise.

via The Hacker News|

#credential-theft #cybersecurity #laravel-lang

technology17 days ago•5 min saved

JDownloader supply-chain breach delivers Python RAT through fake installers

From May 6–7, 2026, the official JDownloader site was compromised to redirect Windows and Linux installer downloads to malicious payloads. The Windows dropper is a Python-based RAT; the Linux installer downloads two ELF binaries, sets up persistence, and masquerades as a system process. The attack exploited CMS access but did not give attackers full OS control. Only the alternative Windows installer and Linux shell installer were affected; other downloads remained safe. Users should verify Digital Signatures (AppWork GmbH) to confirm legitimacy, avoid unsigned or differently signed files, and, if infected, reinstall the OS and reset passwords. Researchers provided IOCs for further analysis.

via BleepingComputer|

#jdownloader #linux #malware

technology1 month ago•4 min saved

Open-source supply-chain attack steals credentials via poisoned package

Attackers exploited a GitHub Actions workflow to gain access to signing keys and credentials, publishing a malicious element-data 0.23.3 package that scanned environments for sensitive data; the package was removed within ~12 hours, credentials rotated, and users are urged to upgrade to 0.23.4, purge caches, and rotate any exposed secrets.

via Ars Technica|

#credentials #github-actions #malware

technology1 month ago•4 min saved

Bitwarden CLI Breach Ties to Checkmarx Supply Chain Campaign

Bitwarden CLI version 2026.4.0 was compromised via a malicious bw1.js distributed through npm during the Checkmarx supply chain campaign, with attackers exploiting a compromised GitHub Action in Bitwarden's CI/CD to steal tokens, secrets and credentials and exfiltrate them to audit.checkmarx.cx (and a fallback GitHub repository). The malware can inject malicious workflows to harvest secrets across downstream pipelines; Bitwarden says no end-user vault data was accessed and the issue was contained with the release deprecated. The incident is linked to TeamPCP and related to the Shai-Hulud activity; a CVE will be issued for this release.

via The Hacker News|

#bitwarden #ci-cd #cybersecurity

technology1 month ago•1 min saved

OpenAI warns macOS users of fake OpenAI apps after Axios supply-chain breach

OpenAI says a March 31 malicious Axios library update, delivered after a hijacked developer account, infected its Mac app signing workflow and could let attackers ship fake OpenAI apps with valid certificates; no evidence of user data or internal systems being compromised. To mitigate risk, OpenAI will discontinue older macOS app versions on May 8, with a 30-day window for users to update before certificates are revoked.

via Axios|

#axios-library #code-signing #macos-apps

security2 months ago•6 min saved

Trivy hit by TeamPCP supply-chain attack through GitHub Actions

The Trivy vulnerability scanner was compromised in a supply-chain attack by threat actors TeamPCP, who backdoored the Trivy GitHub build process and trojanized releases and related GitHub Actions (notably v0.69.4). This allowed an infostealer to harvest credentials and other secrets from GitHub Actions runners, CI configs, and local developer environments, exfiltrating data to a typosquatted C2 server or via a public repo. Attackers gained write access to publish malicious releases and force-push most tags, making detection difficult; Aqua Security linked the breach to an earlier credential exfiltration and noted token rotation wasn't atomic. The incident is connected to a follow-up CanisterWorm npm campaign by the same actor. Remediation includes rotating all secrets, auditing for compromise, and investigating for persistence across environments.

via BleepingComputer|

#github-actions #infostealer #security

security4 months ago•1 min saved

CISA Expands KEV with Four Actively Exploited Flaws

CISA added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation: CVE-2025-68645 (PHP remote file inclusion in Synacor Zimbra Collaboration Suite; CVSS 8.8; fixed in v10.1.13), CVE-2025-34026 (authentication bypass in Versa Concerto SD-WAN; CVSS 9.2; fixed in 12.2.1 GA), CVE-2025-31125 (improper access control in Vite; CVSS 5.3; fixed across multiple versions), and CVE-2025-54313 (embedded malicious code in eslint-config-prettier as part of a supply-chain attack with Scavenger Loader; CVSS 7.5; linked to July 2025 phishing campaigns). Exploitation of CVE-2025-68645 has been observed since January 14, 2026; details on the others’ exploitation are not provided. FCEB agencies must patch by February 12, 2026 under BOD 22-01.

via The Hacker News|

#actively-exploited #cisa #eslint-config-prettier

cybersecurity6 months ago•3 min saved

Security Risks in VS Code Extensions: Ransomware, Cryptomining, and Supply Chain Threats

Cybersecurity researchers discovered a vibe-coded malicious VS Code extension with built-in ransomware capabilities, which exfiltrates and encrypts files, and uses GitHub as a command-and-control server. Additionally, 17 npm packages disguised as SDKs were found to stealthily deploy Vidar Stealer, highlighting ongoing supply chain threats in open-source ecosystems. Microsoft has removed the malicious extension from the marketplace, emphasizing the importance of vigilance in software development.

via The Hacker News|

#ai-generated-malware #cybersecurity #malicious-vs-code-extension

cybersecurity6 months ago•4 min saved

Nation-State Airstalk Malware Uses Multi-Threaded C2 to Steal Windows Logins

A suspected nation-state threat actor has deployed a new malware called Airstalk, exploiting the AirWatch API for covert C2 communication, with variants capable of capturing browser data and executing various malicious tasks, potentially targeting enterprise sectors like BPO in a sophisticated supply chain attack.

via The Hacker News|

#airstalk #cybersecurity #enterprise-browsers

data-breach8 months ago•2 min saved

Multiple Cyberattacks Expose Vulnerabilities in Major Tech Firms

Salesloft has temporarily taken Drift offline after a widespread supply chain attack led to the theft of OAuth tokens, impacting over 700 organizations including major companies like Cloudflare and Google Workspace. The breach exploited compromised OAuth tokens associated with Drift's integration with Salesforce, prompting Salesforce to disable all related integrations as a precaution. The incident is linked to the threat cluster UNC6395, and the affected companies are working with cybersecurity firms to enhance security and prevent further attacks.

via The Hacker News|

#cybersecurity #data-breach #drift

cybersecurity8 months ago•3 min saved

Cloudflare and Major Security Firms Hit by Supply Chain Data Breaches

Cloudflare was compromised in a supply chain attack involving Salesloft and Drift, where attackers accessed a Salesforce instance containing customer support data and API tokens. The breach exposed customer contact info and support tickets, with threat actors potentially planning future targeted attacks. This incident is part of a broader wave of Salesforce data breaches linked to the ShinyHunters group and other threat actors targeting cloud and CRM platforms.

via BleepingComputer|

#cloudflare #cybersecurity #data-breach

cybersecurity1 year ago•5 min saved

Malicious npm and VS Code Packages Exploiting Developers and Stealing Data

Researchers have uncovered over 70 malicious npm and VS Code packages used for data theft, cryptomining, and destructive payloads, with threat actors deploying sophisticated techniques including masquerading as legitimate tools, evading sandbox detection, and using multi-stage infection chains to compromise developers' systems and steal sensitive information.

via The Hacker News|

#cryptocurrency #cybersecurity #data-theft

cybersecurity2 years ago•2 min saved

"Unveiling the XZ Backdoor: Thwarting Cyber-Attacks and Detecting Implants in Linux Binaries"

Binarly has released an online scanner to detect Linux executables affected by the XZ Utils supply chain attack, CVE-2024-3094. The backdoor, discovered by a Microsoft engineer, was introduced in XZ version 5.6.0 and remained in 5.6.1, impacting a few Linux distributions. Binarly's scanner uses static analysis to identify tampering of transitions in GNU Indirect Function and can detect similar backdoors in other projects. The scanner is available online for unlimited free checks, with a free API for bulk scans also available.

via BleepingComputer|

#backdoor #binarly #cybersecurity