software supply chain
-
Shai‑Hulud campaign trojanises hundreds of npm packages and leaks CI/CD secrets to GitHub
A renewed Shai‑Hulud campaign has published thousands of trojanised npm packages that steal developer and CI/CD secrets and post them to GitHub; researchers at Aikido and Wiz say the operation modified legitimate packages, used compromised maintainer accounts and is leaking secrets in automatically created GitHub repositories.
-
Google: APT24 Used New ‘BADAUDIO’ Malware in Years-Long Espionage Campaign
Google Threat Intelligence Group says a China-nexus actor tracked as APT24 used a previously undocumented downloader called BADAUDIO in a campaign from November 2022 into 2025, employing watering holes, supply-chain compromises and spear-phishing to deliver backdoors and second-stage payloads.
-
Acronis warns of ongoing ‘TamperedChef’ malvertising campaign using signed fake installers
Acronis Threat Research Unit says operators are using signed counterfeit installers in a global malvertising campaign dubbed TamperedChef to deploy a JavaScript backdoor, with infections concentrated in the U.S. and several industries affected; some variants have been used for advertising fraud while broader motives remain unclear.
-
China-linked PlushDaemon hijacks software updates with new EdgeStepper implant, ESET says
ESET researchers say a China-linked group called PlushDaemon is hijacking software-update traffic using an EdgeStepper network implant that redirects update domains to attacker servers and delivers a chain of malware including LittleDaemon, DaemonicLogistics and the SlowStepper backdoor.
-
Mandiant ties UNC1549 to long-running campaign using TWOSTROKE and DEEPROOT against aerospace and defence
Google-owned Mandiant linked a cluster it tracks as UNC1549 to a campaign from late 2023 through 2025 in which suspected Iranian espionage actors used backdoors including TWOSTROKE and DEEPROOT to target aerospace, aviation and defence organisations by exploiting third-party credentials, VDI breakouts and targeted phishing.
-
Malicious npm packages use Adspect redirects and fingerprinting to cloak crypto scams
Seven npm packages published under the name ‘dino_reborn’ used Adspect redirects and browser fingerprinting to route real visitors to fake cryptocurrency CAPTCHA scams while showing decoys to likely researchers, Socket researchers found.
-
Researchers: npm registry flooded by tens of thousands of fake packages in two‑year spam campaign
Researchers have identified a two‑year spam campaign that has flooded the npm registry with tens of thousands of fake packages using a worm-like mechanism to auto-publish new packages and potentially monetize the effort via the TEA protocol; investigators say attribution is unconfirmed and registry operators have removed the packages.
-
Malicious Open VSX extension delivers SleepyDuck RAT and uses Ethereum contract for fallback control
Researchers warned that a malicious Open VSX extension, juan-bianco.solidity-vlang, installs a SleepyDuck remote access trojan that uses an Ethereum smart contract and a fallback RPC mechanism to update its command-and-control details.
-
Cybercriminals use RMM tools to target trucking firms, steal freight: Proofpoint
Proofpoint researchers say cybercriminals are compromising trucking and logistics firms with legitimate remote monitoring and management tools to harvest credentials, gain persistent access and fraudulently bid on or divert real shipments, with food and beverage cargo a frequent target.
-
PhantomRaven campaign places malicious code in 126 npm packages
Researchers say a campaign codenamed PhantomRaven has placed malicious code into 126 npm packages since August 2025, using external dynamic dependencies to steal authentication tokens, CI/CD secrets and GitHub credentials; Koi Security and DCODX published analyses.
