software supply chain
-
Researchers identify first malicious Outlook add-in that stole over 4,000 credentials
Researchers found the first malicious Outlook add-in in the wild, where a hijacked add-in domain hosted a fake sign in page and captured more than 4,000 credentials, exposing gaps in marketplace content monitoring.
-
Audit finds 341 malicious skills on ClawHub marketplace
An analysis found 341 malicious skills on the ClawHub marketplace among 2,857 audited entries. The skills used fake prerequisites and scripts to deliver macOS information stealers and backdoors, creating a supply chain risk for OpenClaw users.
-
State actors hijacked Notepad++ updater to redirect users to malicious servers
Notepad++’s maintainer said attackers compromised hosting infrastructure to hijack the updater and redirect some users to malicious servers. The activity began in June 2025 and credentials persisted until December 2 2025.
-
eScan update servers used to deliver persistent downloader in supply chain attack
Unknown attackers distributed a malicious eScan update on January 20, 2026 that replaced reload.exe and deployed a downloader. The vendor isolated servers for over eight hours and published a patch to revert the changes.
-
eScan update server breached to deliver malicious update on January 20 2026
An eScan update server was breached on January 20 2026 and pushed a malicious update to a subset of customers. Morphisec’s security bulletin details the modified updater and final backdoor payload.
-
Two malicious PyPI spellchecker packages delivered Python RAT and were downloaded over 1,000 times
Researchers found two malicious PyPI packages that hid a Base64 downloader in a Basque dictionary file and delivered a Python RAT after a January 21 2026 update. The packages were downloaded just over 1,000 times before removal.
-
Git dependencies can bypass npm ignore-scripts protections, researchers find
Koi Security found that Git dependencies can circumvent npm’s –ignore-scripts protection and allow code execution. Several JavaScript package managers patched the flaws but npm closed the report and did not apply a fix
-
Report: North Korean-linked PurpleBravo targeted 3,136 IPs and 20 companies
Recorded Future’s technical analysis found PurpleBravo targeted 3,136 IPs and claimed 20 potential victim companies across multiple regions from August 2024 to September 2025, using infostealers and backdoors to create supply-chain risk.
-
CodeBreach misconfiguration in AWS CodeBuild could have exposed aws-sdk-js-v3 GitHub repo
A CodeBuild misconfiguration could have allowed takeover of AWS-managed GitHub repositories including the AWS JavaScript SDK. The flaw, dubbed CodeBreach, was fixed in September 2025 after responsible disclosure.
-
Malicious npm WhatsApp API ‘lotusbail’ found stealing tokens and linking attacker devices
A malicious npm package named lotusbail, downloaded more than 56,000 times, masquerades as a WhatsApp API while capturing authentication tokens, messages and contacts and linking an attacker device to victims’ WhatsApp accounts, Koi Security researchers said; ReversingLabs also disclosed related NuGet supply-chain malware.
