Tag

Supply Chain Attack

All articles tagged with #supply chain attack

North Korea-linked group tied to Mastra AI npm supply-chain attack
technology19 days ago

North Korea-linked group tied to Mastra AI npm supply-chain attack

Microsoft attributes the Mastra AI npm supply-chain attack to North Korea's Sapphire Sleet/BlueNoroff after attackers hijacked an npm maintainer to publish 140+ malicious Mastra packages; the malicious typosquat dependency easy-day-js drops a cross-platform info stealer that exfiltrates credentials and crypto-wallet data across Windows, Linux, and macOS, disables TLS verification, contacts attacker C2, and uses OS-specific persistence and a PowerShell backdoor.

Arch AUR Supply-Chain Breach Hits 400+ Packages with Credential Stealer and eBPF Rootkit
technology29 days ago

Arch AUR Supply-Chain Breach Hits 400+ Packages with Credential Stealer and eBPF Rootkit

A supply-chain attack hijacked more than 400 Arch Linux AUR packages by modifying their build scripts to install a Rust-based credential stealer that can also load an eBPF rootkit when run with root; the attackers targeted abandoned packages to exploit trust, persisted via systemd, and used Tor for C2, prompting users to audit builds, rotate credentials, and thoroughly clean systems rather than assuming safety from package managers.

Malicious npm and Android apps siphon OpenAI Codex tokens in a sophisticated supply-chain attack
security1 month ago

Malicious npm and Android apps siphon OpenAI Codex tokens in a sophisticated supply-chain attack

Security researchers uncovered a malicious supply-chain campaign targeting OpenAI Codex via a legitimate-looking npm package (codexui-android) and related Android apps. The npm package, linked to the friuns account (Igor Levochkin), secretly reads Codex credentials from ~/.codex/auth.json and exfiltrates access_token, refresh_token, id_token, and account ID to a server masquerading as Sentry (sentry.anyclaw.store). The refresh_token is long-lasting, enabling persistent access. The same actor also deployed Android apps (OpenClaw Codex Claude AI Agent and Codex) that run the npm package in a PRoot sandbox to harvest credentials. This underscores growing risks to AI developer tooling and software supply chains.

TrapDoor Strikes npm, PyPI, and Crates.io with Cross-Ecosystem Credential-Stealing Malware
security1 month ago

TrapDoor Strikes npm, PyPI, and Crates.io with Cross-Ecosystem Credential-Stealing Malware

A coordinated TrapDoor campaign targets npm, PyPI, and Crates.io, distributing 34 malicious packages across hundreds of versions to steal developer secrets, crypto wallets, SSH keys, cloud credentials, and environment data. npm payloads run trap-core.js to harvest credentials and establish persistence via cron, systemd, Git hooks, and SSH lateral movement; Rust crates search keystores and exfiltrate data to GitHub Gists; Python packages auto-execute on import and fetch a remote JavaScript payload executed via node -e. The attack also hides instructions in .cursorrules and CLAUDE.md to trick AI tools through PRs, signaling an evolution of developer-workflow attacks across multiple ecosystems.

Git tag hijack turns Laravel Lang releases into credential-stealing malware
security1 month ago

Git tag hijack turns Laravel Lang releases into credential-stealing malware

Attackers rewrote GitHub release tags across four Laravel Lang repositories to point to malicious commits, introducing a dropper in src/helpers.php that downloads a cross-platform credential stealer from flipboxstudio.info. The malware harvests cloud credentials, tokens, SSH keys, and more, with a Windows payload that drops a base64-encoded executable (DebugElevator) to steal browser data and encryption keys. Packagist removed the malicious versions; developers should audit installed versions, rotate credentials, scan for indicators of compromise, and watch for outbound connections to flipboxstudio.info.

Massive Laravel-Lang Breach Sparks Cross-Platform Credential Theft
cybersecurity1 month ago

Massive Laravel-Lang Breach Sparks Cross-Platform Credential Theft

Security researchers warn of a broad compromise of Laravel-Lang PHP packages (laravel-lang/lang, http-statuses, attributes, actions) that injected a malicious src/helpers.php into autoloaded vendor files. The attack involved rapid tagging of 700+ package versions in May 2026, suggesting access to the Laravel Lang release infrastructure. The embedded dropper runs on startup and delivers a ~5,900-line PHP credential stealer that exfiltrates cloud tokens, service credentials, browser data, VPN configs and more to flipboxstudio.info, encrypts results with AES-256, and self-deletes. Windows uses a Visual Basic Script launcher; Linux/macOS execute the payload via shell. Remediation includes auditing dependencies, rotating credentials, upgrading to clean versions, and monitoring for indicators of compromise.

JDownloader supply-chain breach delivers Python RAT through fake installers
technology2 months ago

JDownloader supply-chain breach delivers Python RAT through fake installers

From May 6–7, 2026, the official JDownloader site was compromised to redirect Windows and Linux installer downloads to malicious payloads. The Windows dropper is a Python-based RAT; the Linux installer downloads two ELF binaries, sets up persistence, and masquerades as a system process. The attack exploited CMS access but did not give attackers full OS control. Only the alternative Windows installer and Linux shell installer were affected; other downloads remained safe. Users should verify Digital Signatures (AppWork GmbH) to confirm legitimacy, avoid unsigned or differently signed files, and, if infected, reinstall the OS and reset passwords. Researchers provided IOCs for further analysis.

Bitwarden CLI Breach Ties to Checkmarx Supply Chain Campaign
technology2 months ago

Bitwarden CLI Breach Ties to Checkmarx Supply Chain Campaign

Bitwarden CLI version 2026.4.0 was compromised via a malicious bw1.js distributed through npm during the Checkmarx supply chain campaign, with attackers exploiting a compromised GitHub Action in Bitwarden's CI/CD to steal tokens, secrets and credentials and exfiltrate them to audit.checkmarx.cx (and a fallback GitHub repository). The malware can inject malicious workflows to harvest secrets across downstream pipelines; Bitwarden says no end-user vault data was accessed and the issue was contained with the release deprecated. The incident is linked to TeamPCP and related to the Shai-Hulud activity; a CVE will be issued for this release.

OpenAI warns macOS users of fake OpenAI apps after Axios supply-chain breach
technology3 months ago

OpenAI warns macOS users of fake OpenAI apps after Axios supply-chain breach

OpenAI says a March 31 malicious Axios library update, delivered after a hijacked developer account, infected its Mac app signing workflow and could let attackers ship fake OpenAI apps with valid certificates; no evidence of user data or internal systems being compromised. To mitigate risk, OpenAI will discontinue older macOS app versions on May 8, with a 30-day window for users to update before certificates are revoked.

Trivy hit by TeamPCP supply-chain attack through GitHub Actions
security3 months ago

Trivy hit by TeamPCP supply-chain attack through GitHub Actions

The Trivy vulnerability scanner was compromised in a supply-chain attack by threat actors TeamPCP, who backdoored the Trivy GitHub build process and trojanized releases and related GitHub Actions (notably v0.69.4). This allowed an infostealer to harvest credentials and other secrets from GitHub Actions runners, CI configs, and local developer environments, exfiltrating data to a typosquatted C2 server or via a public repo. Attackers gained write access to publish malicious releases and force-push most tags, making detection difficult; Aqua Security linked the breach to an earlier credential exfiltration and noted token rotation wasn't atomic. The incident is connected to a follow-up CanisterWorm npm campaign by the same actor. Remediation includes rotating all secrets, auditing for compromise, and investigating for persistence across environments.

CISA Expands KEV with Four Actively Exploited Flaws
security5 months ago

CISA Expands KEV with Four Actively Exploited Flaws

CISA added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation: CVE-2025-68645 (PHP remote file inclusion in Synacor Zimbra Collaboration Suite; CVSS 8.8; fixed in v10.1.13), CVE-2025-34026 (authentication bypass in Versa Concerto SD-WAN; CVSS 9.2; fixed in 12.2.1 GA), CVE-2025-31125 (improper access control in Vite; CVSS 5.3; fixed across multiple versions), and CVE-2025-54313 (embedded malicious code in eslint-config-prettier as part of a supply-chain attack with Scavenger Loader; CVSS 7.5; linked to July 2025 phishing campaigns). Exploitation of CVE-2025-68645 has been observed since January 14, 2026; details on the others’ exploitation are not provided. FCEB agencies must patch by February 12, 2026 under BOD 22-01.

Security Risks in VS Code Extensions: Ransomware, Cryptomining, and Supply Chain Threats
cybersecurity8 months ago

Security Risks in VS Code Extensions: Ransomware, Cryptomining, and Supply Chain Threats

Cybersecurity researchers discovered a vibe-coded malicious VS Code extension with built-in ransomware capabilities, which exfiltrates and encrypts files, and uses GitHub as a command-and-control server. Additionally, 17 npm packages disguised as SDKs were found to stealthily deploy Vidar Stealer, highlighting ongoing supply chain threats in open-source ecosystems. Microsoft has removed the malicious extension from the marketplace, emphasizing the importance of vigilance in software development.

Multiple Cyberattacks Expose Vulnerabilities in Major Tech Firms
data-breach10 months ago

Multiple Cyberattacks Expose Vulnerabilities in Major Tech Firms

Salesloft has temporarily taken Drift offline after a widespread supply chain attack led to the theft of OAuth tokens, impacting over 700 organizations including major companies like Cloudflare and Google Workspace. The breach exploited compromised OAuth tokens associated with Drift's integration with Salesforce, prompting Salesforce to disable all related integrations as a precaution. The incident is linked to the threat cluster UNC6395, and the affected companies are working with cybersecurity firms to enhance security and prevent further attacks.