Advertisement

TrapDoor Campaign: Detecting Cross-Ecosystem Supply Chain Attacks
The TrapDoor campaign targets npm, PyPI, and Crates.io with over 384 malicious versions designed to exfiltrate developer credentials and sensitive data.

npm Staged Publishing: New 2FA Controls Prevent Supply Chain Attacks
GitHub introduces staged publishing for npm, requiring manual 2FA approval for package releases to mitigate malicious automated updates and account takeovers.
Analysis of Cross-Platform NPM Stealer Using Discord Webhooks
Technical teardown of an obfuscated Node.js infostealer targeting Discord tokens, crypto wallets, and browser credentials via cross-platform scripts.
GitHub Repository Breach Linked to TanStack Supply Chain Attack
GitHub confirms the breach of 3,800 internal repositories via a compromised VS Code extension linked to the TanStack npm supply chain attack.
Grafana Breach After TanStack Attack: Token Rotation Failure
Grafana suffered a data breach due to a GitHub workflow token not rotated after the TanStack npm supply-chain attack, impacting user data. Learn the details.
320+ @antv NPM Packages Compromised in Mini Shai-Hulud Attack
A maintainer account compromise has led to a major supply chain attack against Alibaba’s @antv NPM namespace, impacting over 320 visualization packages.
TeamPCP Jenkins Plugin Compromise and Mini Shai-Hulud Worm Analysis
TeamPCP escalates its supply chain campaign with a confirmed Jenkins plugin compromise and a self-spreading worm targeting the npm and PyPI ecosystems.
Shai-Hulud Infostealer Surfaces in Malicious npm Package Campaign
Leaked Shai-Hulud malware is targeting Node.js developers via malicious npm packages, exfiltrating sensitive data and credentials to Telegram-based C2.

Microsoft Exchange Zero-Day and npm Supply Chain Worm Under Active Use
Critical security briefing on the active exploitation of an Exchange Server zero-day, npm supply chain worms, and Cisco network control vulnerabilities.

Developer Workstations: The New Front in Software Supply Chain Attacks
A surge in attacks targeting npm, PyPI, and Docker Hub highlights a shift toward stealing developer credentials and API keys from workstations and CI/CD pipelines.
OpenAI Breach: TanStack Supply Chain Attack Impacts Employee Devices
OpenAI confirms two employee devices compromised in a TanStack supply chain attack affecting npm and PyPI packages, prompting certificate rotation.

Malicious node-ipc Versions Compromise Developer Secrets via Supply Chain
Three versions of the node-ipc npm package (9.1.6, 9.2.3, 12.0.1) contain stealer/backdoor functionality targeting developer secrets. Urgent update advised.