{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/npm/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Bitwarden CLI"],"_cs_severities":["critical"],"_cs_tags":["supply-chain","credential-theft","exfiltration","npm"],"_cs_type":"advisory","_cs_vendors":["Bitwarden"],"content_html":"\u003cp\u003eA compromised Bitwarden CLI npm package allows a remote, anonymous attacker to steal credentials and exfiltrate sensitive information. The specific version of the compromised package is not detailed in the advisory. This supply chain attack targets developers and users who rely on the Bitwarden CLI for managing their passwords and secrets. This attack has the potential to expose sensitive credentials, leading to unauthorized access to systems and data. Defenders need to monitor for unusual activity related to the Bitwarden CLI and its usage within their environments to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker compromises a Bitwarden CLI npm package through techniques such as typosquatting, account compromise, or dependency confusion.\u003c/li\u003e\n\u003cli\u003eUnsuspecting developers or users download and install the compromised package from the npm registry.\u003c/li\u003e\n\u003cli\u003eDuring installation, the malicious package executes malicious code injected by the attacker.\u003c/li\u003e\n\u003cli\u003eThe malicious code collects Bitwarden credentials and other sensitive information stored in the CLI\u0026rsquo;s configuration.\u003c/li\u003e\n\u003cli\u003eThe compromised package establishes a covert communication channel (e.g., HTTPS) to an attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eStolen credentials and sensitive information are exfiltrated to the attacker\u0026rsquo;s server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to access victim\u0026rsquo;s Bitwarden vaults or other systems.\u003c/li\u003e\n\u003cli\u003eThe attacker may further escalate privileges and compromise additional systems within the victim\u0026rsquo;s environment using the stolen credentials.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to the theft of sensitive credentials and information stored within Bitwarden CLI. The number of victims is currently unknown. Organizations using the compromised package could experience unauthorized access to critical systems, data breaches, and potential financial losses. The targeted sectors are broad, encompassing any organization utilizing the Bitwarden CLI for password management and secret storage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor npm package installations for unusual activity or unexpected dependencies using process creation logs and file integrity monitoring.\u003c/li\u003e\n\u003cli\u003eImplement strict code review processes for all third-party dependencies, especially those related to security tools like Bitwarden CLI.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule detecting suspicious network connections from the Bitwarden CLI executable to identify potential data exfiltration.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) on Bitwarden accounts to mitigate the impact of credential theft.\u003c/li\u003e\n\u003cli\u003eRegularly audit and review the permissions and access rights associated with Bitwarden CLI credentials.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T11:28:56Z","date_published":"2026-05-04T11:28:56Z","id":"/briefs/2026-05-bitwarden-cli-compromise/","summary":"A remote attacker can exploit a compromised Bitwarden CLI npm package to steal credentials and exfiltrate sensitive information.","title":"Compromised Bitwarden CLI npm Package Enables Credential Theft and Information Exfiltration","url":"https://feed.craftedsignal.io/briefs/2026-05-bitwarden-cli-compromise/"},{"_cs_actors":["TeamPCP"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["@bitwarden/cli (2026.4.0)","@cap-js/sqlite (2.2.2)","@cap-js/postgres (2.2.2)","@cap-js/db-service (2.10.1)","mbt (1.2.48)","SAP Cloud Application Programming (CAP) Model","checkmarx/kics"],"_cs_severities":["high"],"_cs_tags":["npm","supply-chain","credential-theft","github"],"_cs_type":"threat","_cs_vendors":["npm","GitHub","SAP","Bitwarden","Checkmarx","Microsoft"],"content_html":"\u003cp\u003eThe npm ecosystem is experiencing a surge in sophisticated supply chain attacks following the Shai-Hulud worm in September 2025. Attackers, including TeamPCP, are actively compromising npm packages to gain access to sensitive information and establish persistence within CI/CD pipelines. The attacks have evolved to include wormable propagation, infrastructure-level persistence, and multi-stage payloads designed to evade detection. In April 2026, two campaigns were observed: one included the string \u0026ldquo;Shai-Hulud: The Third Coming,\u0026rdquo; and the other, dubbed \u0026ldquo;Mini Shai-Hulud,\u0026rdquo; targeted the SAP developer ecosystem. The compromised packages are often part of SAP\u0026rsquo;s Cloud Application Programming (CAP) Model and multitarget application (MTA) build toolchain, increasing the likelihood of impacting enterprise developers and CI/CD pipelines with access to cloud credentials and GitHub tokens.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Compromise: Attackers compromise legitimate npm packages, such as @cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt, by injecting malicious code.\u003c/li\u003e\n\u003cli\u003eMalicious Code Injection: Compromised packages receive two new files: setup.mjs and execution.js, along with a modified package.json containing a \u0026ldquo;preinstall\u0026rdquo; hook.\u003c/li\u003e\n\u003cli\u003eExecution of setup.mjs: During the \u003ccode\u003enpm install\u003c/code\u003e process, the preinstall hook executes setup.mjs, which detects the host OS and architecture.\u003c/li\u003e\n\u003cli\u003eBun Runtime Download and Execution: setup.mjs downloads the Bun JavaScript runtime (v1.3.13) from GitHub releases and extracts it to a temporary directory.\u003c/li\u003e\n\u003cli\u003eExecution of execution.js: The Bun runtime executes execution.js, a large (11.7 MB) obfuscated credential stealer and propagation framework.\u003c/li\u003e\n\u003cli\u003eCredential Harvesting: execution.js harvests GitHub tokens, npm tokens, environment variables, GitHub Actions secrets, AWS STS identity, Azure Key Vault secrets, GCP Secret Manager values, and Kubernetes service account tokens. It also targets Claude and MCP configuration files and Electrum wallets.\u003c/li\u003e\n\u003cli\u003eData Exfiltration: The collected data is compressed, encrypted, and exfiltrated to freshly created public GitHub repositories with randomized names and descriptions.\u003c/li\u003e\n\u003cli\u003ePropagation: The malware searches for commits containing the keyword \u0026ldquo;OhNoWhatsGoingOnWithGitHub,\u0026rdquo; decodes matching commit messages as a token dead-drop, recovers stolen GitHub tokens, and uses them to spread the malware to other packages.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised npm packages can lead to the theft of sensitive credentials, including cloud provider credentials, GitHub tokens, and CI/CD secrets. Successful attacks can result in unauthorized access to cloud infrastructure, code repositories, and deployment pipelines. The Mini Shai-Hulud campaign targeted packages with approximately 570,000 weekly downloads, potentially impacting a large number of SAP developers and enterprise environments. The attackers use stolen credentials to further propagate the malware, increasing the scale and scope of the compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eRotate npm tokens and GitHub Personal Access Tokens (PATs) immediately if any affected packages were installed (refer to the list of affected packages in the IOC table).\u003c/li\u003e\n\u003cli\u003eMonitor npm install processes for unexpected execution of \u003ccode\u003enode setup.mjs\u003c/code\u003e (see Attack Chain).\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Suspicious Bun Process Execution\u0026rdquo; to identify potential execution of the Bun runtime from temporary directories.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for unusual processes connecting to \u003ccode\u003eapi.github[.]com/search/commits?q=OhNoWhatsGoingOnWithGitHub\u003c/code\u003e (see IOCs) to detect potential C2 activity.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Github Commit By Claude Email\u0026rdquo; to identify commits authored with the email \u003ccode\u003eclaude@users.noreply.github.com\u003c/code\u003e to detect malicious commits.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T00:10:33Z","date_published":"2026-05-02T00:10:33Z","id":"/briefs/2026-05-npm-supply-chain/","summary":"Threat actors are compromising npm packages, including those targeting SAP developers, to steal credentials, embed themselves in CI/CD pipelines, and deploy multi-stage payloads using techniques like wormable propagation and covert C2 channels on GitHub.","title":"Increased npm Supply Chain Attacks Targeting SAP Developers","url":"https://feed.craftedsignal.io/briefs/2026-05-npm-supply-chain/"},{"_cs_actors":["TeamPCP"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Cloud Application Programming (CAP)","Cloud MTA Build Tool","@cap-js/db-service","@cap-js/postgres","@cap-js/sqlite","github.com"],"_cs_severities":["critical"],"_cs_tags":["supply-chain","npm","sap","credential-theft"],"_cs_type":"threat","_cs_vendors":["SAP","GitHub"],"content_html":"\u003cp\u003eThe Mini Shai-Hulud campaign, active as of April 2026, targets SAP NPM packages used in the SAP Cloud Application Programming (CAP) ecosystem and SAP cloud deployment workflows. Four package versions were compromised: \u003ccode\u003embt 1.2.48\u003c/code\u003e, \u003ccode\u003e@cap-js/db-service 2.10.1\u003c/code\u003e, \u003ccode\u003e@cap-js/postgres 2.2.2\u003c/code\u003e, and \u003ccode\u003e@cap-js/sqlite 2.2.2\u003c/code\u003e. These packages, with over 500,000 combined weekly downloads, are essential for SAP\u0026rsquo;s Cloud MTA Build Tool and database services for CAP software. The attackers injected a preinstall script that fetches and executes a Bun binary, bypassing security monitoring. The malicious versions were available for a short window of 2-4 hours before being unpublished and superseded by clean versions. Wiz attributes this activity to TeamPCP due to a shared RSA public key used to encrypt the exfiltrated secrets.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises an NPM token, possibly exposed through CircleCI.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a malicious \u003ccode\u003epreinstall\u003c/code\u003e script into the targeted SAP NPM packages (\u003ccode\u003embt\u003c/code\u003e, \u003ccode\u003e@cap-js/db-service\u003c/code\u003e, \u003ccode\u003e@cap-js/postgres\u003c/code\u003e, \u003ccode\u003e@cap-js/sqlite\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eWhen a user installs the compromised package, the \u003ccode\u003epreinstall\u003c/code\u003e script executes.\u003c/li\u003e\n\u003cli\u003eThe script fetches a Bun ZIP archive from a GitHub repository.\u003c/li\u003e\n\u003cli\u003eThe script extracts the Bun archive and executes the included Bun binary.\u003c/li\u003e\n\u003cli\u003eThe Bun binary steals local credentials, GitHub and NPM tokens, AWS, Azure, GCP, GitHub Action, and Kubernetes secrets.\u003c/li\u003e\n\u003cli\u003eThe stolen data is exfiltrated to public GitHub repositories with the description \u0026ldquo;A Mini Shai-Hulud has Appeared\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe malware propagates by modifying package tarballs, updating versions, repackaging them, and publishing them using stolen GitHub Actions tokens.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe Mini Shai-Hulud attack poses a significant threat to developers and organizations using SAP CAP, a framework for S/4HANA extensions, Fiori app backends, MTAs, and integration flows. With over 500,000 weekly downloads of the affected packages, a large number of systems could have been affected. Successful exploitation allows attackers to steal sensitive credentials and cloud secrets, potentially leading to unauthorized access to critical SAP systems, cloud infrastructure, and source code repositories. This access could be used for further malicious activities, including data breaches, financial fraud, and supply chain compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eOrganizations using SAP Business Technology Platform workflows, SAP CAP, or MTA-based deployment pipelines should immediately check if they installed the malicious package versions (\u003ccode\u003embt 1.2.48\u003c/code\u003e, \u003ccode\u003e@cap-js/db-service 2.10.1\u003c/code\u003e, \u003ccode\u003e@cap-js/postgres 2.2.2\u003c/code\u003e, \u003ccode\u003e@cap-js/sqlite 2.2.2\u003c/code\u003e) during the exposure window.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring rules to detect connections to unusual GitHub repositories created to host stolen data. Monitor for repositories with the description \u0026ldquo;A Mini Shai-Hulud has Appeared\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eMonitor process execution for the execution of \u003ccode\u003ebun\u003c/code\u003e binaries in unusual or unexpected locations to identify systems where compromised packages were installed. Deploy the Sigma rule \u003ccode\u003eDetect Bun Execution From NPM Package\u003c/code\u003e to detect this behavior.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T14:27:36Z","date_published":"2026-04-30T14:27:36Z","id":"/briefs/2026-04-mini-shai-hulud/","summary":"The Mini Shai-Hulud campaign injected malicious code into SAP NPM packages, targeting credentials and cloud secrets related to SAP Cloud Application Programming (CAP) and SAP cloud deployment workflows, exfiltrating data through public GitHub repositories.","title":"Mini Shai-Hulud Supply Chain Attack Targets SAP NPM Packages","url":"https://feed.craftedsignal.io/briefs/2026-04-mini-shai-hulud/"},{"_cs_actors":["TeamPCP"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Cloud Application Programming Model (CAP)","Cloud MTA"],"_cs_severities":["critical"],"_cs_tags":["supply-chain","credential-theft","npm"],"_cs_type":"threat","_cs_vendors":["SAP"],"content_html":"\u003cp\u003eOn April 29, 2026, security researchers discovered that multiple official SAP npm packages were compromised in a supply-chain attack, suspected to be carried out by TeamPCP. The compromised packages, including \u003ccode\u003e@cap-js/sqlite\u003c/code\u003e (v2.2.2), \u003ccode\u003e@cap-js/postgres\u003c/code\u003e (v2.2.2), \u003ccode\u003e@cap-js/db-service\u003c/code\u003e (v2.10.1), and \u003ccode\u003embt\u003c/code\u003e (v1.2.48), support SAP\u0026rsquo;s Cloud Application Programming Model (CAP) and Cloud MTA, commonly used in enterprise development. The attack involves injecting a malicious \u0026lsquo;preinstall\u0026rsquo; script into these packages, which executes automatically during installation. This script downloads and executes a heavily obfuscated JavaScript payload designed to steal sensitive credentials from developer machines and CI/CD environments. This incident highlights the ongoing risk of supply chain attacks targeting widely used development tools.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e Threat actors compromise official SAP npm packages (\u003ccode\u003e@cap-js/sqlite\u003c/code\u003e, \u003ccode\u003e@cap-js/postgres\u003c/code\u003e, \u003ccode\u003e@cap-js/db-service\u003c/code\u003e, \u003ccode\u003embt\u003c/code\u003e). The exact method of initial compromise is currently unknown, but a misconfigured CircleCI job is suspected.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePackage Modification:\u003c/strong\u003e The compromised npm packages are modified to include a malicious \u0026lsquo;preinstall\u0026rsquo; script.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInstallation Trigger:\u003c/strong\u003e When developers install the compromised packages using \u003ccode\u003enpm install\u003c/code\u003e, the \u0026lsquo;preinstall\u0026rsquo; script executes automatically.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Download:\u003c/strong\u003e The \u0026lsquo;preinstall\u0026rsquo; script launches a loader named \u003ccode\u003esetup.mjs\u003c/code\u003e that downloads the Bun JavaScript runtime from GitHub.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution of Information Stealer:\u003c/strong\u003e The Bun runtime is used to execute a heavily obfuscated \u003ccode\u003eexecution.js\u003c/code\u003e payload, which acts as an information stealer.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Theft:\u003c/strong\u003e The information stealer targets a wide variety of credentials, including npm and GitHub authentication tokens, SSH keys, cloud credentials for AWS, Azure, and Google Cloud, Kubernetes configurations and secrets, and CI/CD pipeline secrets and environment variables.  It also attempts to extract secrets directly from the CI runner\u0026rsquo;s memory by scanning \u003ccode\u003e/proc/\u0026lt;pid\u0026gt;/maps\u003c/code\u003e and \u003ccode\u003e/proc/\u0026lt;pid\u0026gt;/mem\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The stolen data is encrypted and uploaded to public GitHub repositories under the victim\u0026rsquo;s account. These repositories include the description \u0026ldquo;A Mini Shai-Hulud has Appeared\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The malware searches GitHub commits for the string \u003ccode\u003eOhNoWhatsGoingOnWithGitHub:\u0026lt;base64\u0026gt;\u003c/code\u003e, decoding matching commit messages into GitHub tokens to gain further access and propagate to other packages and repositories, injecting the same malicious code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain attack can lead to the theft of sensitive credentials, allowing attackers to gain unauthorized access to internal systems, cloud infrastructure, and source code repositories. The compromised credentials and secrets can be used for lateral movement within the victim\u0026rsquo;s network, data exfiltration, and further supply chain attacks. The use of stolen credentials to modify other packages increases the scope of the attack, potentially impacting a large number of developers and organizations using the compromised SAP packages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor npm package installations for the presence of \u003ccode\u003epreinstall\u003c/code\u003e scripts executing unusual processes, such as the execution of \u003ccode\u003esetup.mjs\u003c/code\u003e or the download of the Bun JavaScript runtime from GitHub; implement the \u003ccode\u003eDetect Suspicious NPM Package Preinstall Script\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement the \u003ccode\u003eDetect GitHub Repository Creation with \u0026quot;A Mini Shai-Hulud has Appeared\u0026quot; Description\u003c/code\u003e Sigma rule to detect exfiltration attempts via public GitHub repositories.\u003c/li\u003e\n\u003cli\u003eAudit CI/CD pipeline configurations and restrict access to sensitive credentials and secrets to prevent exposure via misconfigured jobs; remediate the reported CircleCI misconfiguration.\u003c/li\u003e\n\u003cli\u003eMonitor process memory for credential harvesting activity targeting Runner processes in CI/CD environments, specifically looking for reads of \u003ccode\u003e/proc/\u0026lt;pid\u0026gt;/maps\u003c/code\u003e and \u003ccode\u003e/proc/\u0026lt;pid\u0026gt;/mem\u003c/code\u003e as outlined in the overview.\u003c/li\u003e\n\u003cli\u003eDeprecate and remove the compromised packages \u003ccode\u003e@cap-js/sqlite\u003c/code\u003e (v2.2.2), \u003ccode\u003e@cap-js/postgres\u003c/code\u003e (v2.2.2), \u003ccode\u003e@cap-js/db-service\u003c/code\u003e (v2.10.1), and \u003ccode\u003embt\u003c/code\u003e (v1.2.48) from your development and CI/CD environments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T22:43:44Z","date_published":"2026-04-29T22:43:44Z","id":"/briefs/2026-04-sap-npm-compromise/","summary":"Multiple official SAP npm packages were compromised via a supply chain attack, likely by TeamPCP, to steal credentials and authentication tokens from developers' systems.","title":"Compromised SAP npm Packages Steal Developer Credentials","url":"https://feed.craftedsignal.io/briefs/2026-04-sap-npm-compromise/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["npm packages"],"_cs_severities":["high"],"_cs_tags":["supply-chain","malware","npm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe CanisterSprawl campaign, first disclosed in April 2026, is a self-propagating malware targeting npm packages. This campaign focuses on stealing sensitive information, such as API keys, authentication tokens, and crypto wallet data from developer environments. The malware attempts to automate the process of publishing malicious packages to the npm registry using compromised developer accounts. By hijacking trusted credentials, CanisterSprawl seeks to extend its reach within the open-source ecosystem, turning a single compromised machine into a potential source of widespread supply chain attacks. This campaign highlights the need for robust security measures to prevent the installation of malicious packages and detect unauthorized activity within developer environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA developer installs a malicious npm package from the npm registry.\u003c/li\u003e\n\u003cli\u003eDuring installation, the package executes embedded code automatically.\u003c/li\u003e\n\u003cli\u003eThe malware scans environment variables on the local system, looking for credentials and developer tokens.\u003c/li\u003e\n\u003cli\u003eThe malware harvests browser credentials, crypto wallet data, and configuration files containing credentials.\u003c/li\u003e\n\u003cli\u003eThe collected data is exfiltrated to an external server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe malware attempts to locate an npm automation token on the infected machine.\u003c/li\u003e\n\u003cli\u003eIf a token is found, the malware lists all packages to which the token grants \u0026ldquo;write\u0026rdquo; access.\u003c/li\u003e\n\u003cli\u003eThe malware downloads the packages, injects the malicious script into them, and republishes them to the npm registry, spreading the infection to other projects.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful CanisterSprawl infections can lead to the exfiltration of sensitive data, including API keys, authentication tokens, and credentials, which can be used to gain unauthorized access to internal systems and services. The malware\u0026rsquo;s self-propagating nature allows it to spread through the npm ecosystem, potentially compromising numerous projects and developer accounts. If successful, attackers can inject malicious code into trusted packages, leading to supply chain attacks that affect a large number of downstream consumers. This can damage the reputation of affected developers and organizations, and result in significant financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eRemove any identified malicious packages immediately to prevent further data theft and propagation.\u003c/li\u003e\n\u003cli\u003eRotate potentially compromised credentials, tokens, and API keys that may have been exposed from affected hosts.\u003c/li\u003e\n\u003cli\u003eReview environment variables and local credentials on developer machines for potential compromise.\u003c/li\u003e\n\u003cli\u003eAudit account activity for unauthorized publishing or access to the npm registry, as highlighted in the Overview section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect suspicious processes attempting to access sensitive files related to credentials.\u003c/li\u003e\n\u003cli\u003eEnable file integrity monitoring for common credential storage locations and configuration files to detect unauthorized access and modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T16:18:33Z","date_published":"2026-04-23T16:18:33Z","id":"/briefs/2026-04-canistersprawl-npm-malware/","summary":"The CanisterSprawl malware campaign targets npm packages, using a self-propagating approach to steal sensitive data from developer machines, including tokens and API keys, and attempting to publish malicious packages using hijacked credentials.","title":"CanisterSprawl: Self-Propagating npm Malware Campaign","url":"https://feed.craftedsignal.io/briefs/2026-04-canistersprawl-npm-malware/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.4,"id":"CVE-2026-24884"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["npm","supply-chain","symlink","directory-traversal","privilege-escalation","arbitrary-file-overwrite"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003ecompressing\u003c/code\u003e npm package (v2.1.0 and earlier) contains a critical vulnerability that permits arbitrary file overwrites due to a symlink path traversal bypass. This bypass affects the patch for CVE-2026-24884. The vulnerability arises from an incomplete validation in the \u003ccode\u003eisPathWithinParent\u003c/code\u003e utility, where path string checks are performed without verifying the filesystem state, specifically symbolic links. By cloning a malicious repository containing a pre-existing symbolic link, a victim unknowingly plants a \u0026ldquo;poisoned path\u0026rdquo; on their system. The attacker can then craft a malicious archive that, when extracted by the vulnerable library, follows the symlink and overwrites arbitrary files. The ease of exploitation via \u003ccode\u003egit clone\u003c/code\u003e makes this vulnerability particularly dangerous.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker creates a malicious Git repository containing a symbolic link (e.g., \u003ccode\u003econfig_file\u003c/code\u003e) pointing to a sensitive target file or directory (e.g., \u003ccode\u003e/tmp/fake_root/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker generates a malicious payload (e.g., \u003ccode\u003epayload.tar\u003c/code\u003e) containing a file with the same name as the symbolic link (e.g., \u003ccode\u003econfig_file\u003c/code\u003e) and uploads both to their Git repository.\u003c/li\u003e\n\u003cli\u003eVictim clones the attacker\u0026rsquo;s Git repository using \u003ccode\u003egit clone\u003c/code\u003e. This action automatically restores the symbolic link on the victim\u0026rsquo;s system.\u003c/li\u003e\n\u003cli\u003eVictim runs an application that utilizes the vulnerable \u003ccode\u003ecompressing\u003c/code\u003e library to extract the \u003ccode\u003epayload.tar\u003c/code\u003e archive.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecompressing\u003c/code\u003e library\u0026rsquo;s \u003ccode\u003eisPathWithinParent\u003c/code\u003e function resolves the path to the file being extracted. Due to lack of \u003ccode\u003elstat\u003c/code\u003e checks, the symbolic link is not detected.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efs.writeFile\u003c/code\u003e function follows the symlink, writing the contents of the file from \u003ccode\u003epayload.tar\u003c/code\u003e to the targeted sensitive file (e.g., \u003ccode\u003e/tmp/fake_root/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eArbitrary file overwrite occurs, potentially leading to privilege escalation or code execution.\u003c/li\u003e\n\u003cli\u003eAttacker achieves persistent access or control by overwriting critical system files.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to overwrite arbitrary files on the victim\u0026rsquo;s system, potentially leading to privilege escalation by modifying sensitive system files such as \u003ccode\u003e/etc/passwd\u003c/code\u003e. Remote Code Execution (RCE) can be achieved by overwriting executable binaries or startup scripts. Data corruption can also occur through the modification of application data or database files. This vulnerability impacts developers and organizations using the \u003ccode\u003ecompressing\u003c/code\u003e library up to version v2.1.0 when extracting untrusted archives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003ecompressing\u003c/code\u003e npm package to a patched version that includes proper symlink handling. This is the primary remediation.\u003c/li\u003e\n\u003cli\u003eInspect Git repositories for suspicious symbolic links before cloning. Use \u003ccode\u003egit ls-tree -r \u0026lt;commit-ish\u0026gt; | grep 120000\u003c/code\u003e to search for symlinks in a repository.\u003c/li\u003e\n\u003cli\u003eImplement runtime monitoring for file writes to unexpected locations based on the \u003ccode\u003ecompressing\u003c/code\u003e library\u0026rsquo;s activity. Create a detection rule based on \u003ccode\u003eprocess_creation\u003c/code\u003e and \u003ccode\u003efile_event\u003c/code\u003e to detect writes to sensitive directories such as \u003ccode\u003e/etc\u003c/code\u003e by processes spawned by Node.js that also load the vulnerable \u003ccode\u003ecompressing\u003c/code\u003e module.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from processes related to the \u003ccode\u003ecompressing\u003c/code\u003e library after file extraction. Create a Sigma rule based on \u003ccode\u003enetwork_connection\u003c/code\u003e and \u003ccode\u003eprocess_creation\u003c/code\u003e to detect unusual outbound connections after archive extraction.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-18T12:00:00Z","date_published":"2026-04-18T12:00:00Z","id":"/briefs/2026-04-compressing-symlink-bypass/","summary":"A vulnerability in the `compressing` npm package (\u003c=v2.1.0) allows for arbitrary file overwrite via symlink path traversal, bypassing a previous patch for CVE-2026-24884.","title":"compressing npm Package Symlink Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-compressing-symlink-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["npm","openclaw","environment-variable-injection","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003eopenclaw\u003c/code\u003e package, a tool used within the npm ecosystem, was found to have a vulnerability affecting versions prior to 2026.4.10. This vulnerability stems from an inadequate environment variable denylist in the exec environment policy. Specifically, the policy failed to block high-risk interpreter startup variables such as \u003ccode\u003eVIMINIT\u003c/code\u003e, \u003ccode\u003eEXINIT\u003c/code\u003e, \u003ccode\u003eLUA_INIT\u003c/code\u003e, and \u003ccode\u003eHOSTALIASES\u003c/code\u003e. This oversight allowed malicious actors to potentially inject arbitrary environment variables, thereby influencing the behavior of downstream execution or network operations. The vulnerability was reported by @feiyang666 of Tencent zhuque Lab. The fix was implemented in version 2026.4.10 and later, with version 2026.4.14 containing the fix as well. This vulnerability allows for potential code execution or network manipulation through environment variables.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains control over an environment where the vulnerable \u003ccode\u003eopenclaw\u003c/code\u003e package is utilized.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies that the \u003ccode\u003eopenclaw\u003c/code\u003e version is prior to 2026.4.10.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a malicious environment variable, such as \u003ccode\u003eVIMINIT\u003c/code\u003e, \u003ccode\u003eEXINIT\u003c/code\u003e, \u003ccode\u003eLUA_INIT\u003c/code\u003e, or \u003ccode\u003eHOSTALIASES\u003c/code\u003e, into the system\u0026rsquo;s environment.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eopenclaw\u003c/code\u003e package executes a process that reads and utilizes environment variables without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe injected environment variable overrides the intended behavior of the process. For example, \u003ccode\u003eVIMINIT\u003c/code\u003e can be used to execute arbitrary vim commands upon startup.\u003c/li\u003e\n\u003cli\u003eThis execution leads to arbitrary code execution or modified network behavior, depending on the injected variable. For example, \u003ccode\u003eHOSTALIASES\u003c/code\u003e can redirect network requests to attacker-controlled servers.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as gaining unauthorized access, exfiltrating data, or causing denial of service.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised environment to propagate the attack further.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows for arbitrary code execution or network redirection by injecting malicious environment variables. Successful exploitation could lead to unauthorized access to sensitive data, system compromise, or denial-of-service conditions. The specific impact depends on the context in which \u003ccode\u003eopenclaw\u003c/code\u003e is used and the permissions of the user running the affected process. The reported vulnerability has been fixed in \u003ccode\u003eopenclaw\u003c/code\u003e version 2026.4.10 and later.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003eopenclaw\u003c/code\u003e package to version 2026.4.10 or later to remediate the vulnerability, as indicated in the advisory (\u003ca href=\"https://github.com/advisories/GHSA-vfp4-8x56-j7c5\"\u003ehttps://github.com/advisories/GHSA-vfp4-8x56-j7c5\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor process execution for the presence of environment variables being passed to child processes, focusing on \u003ccode\u003eVIMINIT\u003c/code\u003e, \u003ccode\u003eEXINIT\u003c/code\u003e, \u003ccode\u003eLUA_INIT\u003c/code\u003e, and \u003ccode\u003eHOSTALIASES\u003c/code\u003e. Implement the Sigma rule below to detect suspicious process execution involving these variables.\u003c/li\u003e\n\u003cli\u003eImplement a system-wide policy to restrict the modification of environment variables by non-administrative users.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T21:54:20Z","date_published":"2026-04-17T21:54:20Z","id":"/briefs/2024-01-23-openclaw-env-injection/","summary":"The openclaw package versions prior to 2026.4.10 are vulnerable to environment variable injection, where the exec environment policy missed interpreter startup variables allowing operator-supplied environment overrides to influence downstream execution or network behavior, addressed in versions 2026.4.10 and later.","title":"OpenClaw Environment Variable Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-23-openclaw-env-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-35641"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-35641","code-execution","npm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw versions before 2026.3.24 are susceptible to arbitrary code execution. The vulnerability lies in the local plugin and hook installation process. An attacker can exploit this by crafting a malicious \u003ccode\u003e.npmrc\u003c/code\u003e file that overrides the \u003ccode\u003egit\u003c/code\u003e executable. During the \u003ccode\u003enpm install\u003c/code\u003e execution within the staged package directory, the system inadvertently triggers the attacker\u0026rsquo;s specified programs. This happens because \u003ccode\u003enpm\u003c/code\u003e leverages \u003ccode\u003egit\u003c/code\u003e dependencies, and the overridden \u003ccode\u003egit\u003c/code\u003e path points to a malicious executable. This can allow complete system compromise, depending on the permissions of the user running the \u003ccode\u003enpm install\u003c/code\u003e command. This vulnerability was reported on April 10, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a target system running a vulnerable version of OpenClaw (prior to 2026.3.24).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious \u003ccode\u003e.npmrc\u003c/code\u003e file. This file contains a configuration that overrides the \u003ccode\u003egit\u003c/code\u003e executable path to point to a malicious binary under attacker control. For example, \u003ccode\u003egit=path/to/malicious/executable\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker places the crafted \u003ccode\u003e.npmrc\u003c/code\u003e file in a location where the \u003ccode\u003enpm\u003c/code\u003e command will recognize it (e.g., the project directory, user\u0026rsquo;s home directory, or a global configuration directory).\u003c/li\u003e\n\u003cli\u003eThe attacker triggers an \u003ccode\u003enpm install\u003c/code\u003e command execution within a project that processes plugins or hooks.\u003c/li\u003e\n\u003cli\u003eDuring the \u003ccode\u003enpm install\u003c/code\u003e process, \u003ccode\u003enpm\u003c/code\u003e attempts to resolve git dependencies.\u003c/li\u003e\n\u003cli\u003eDue to the \u003ccode\u003e.npmrc\u003c/code\u003e configuration, \u003ccode\u003enpm\u003c/code\u003e executes the attacker-controlled \u0026ldquo;git\u0026rdquo; executable specified in the .npmrc file instead of the legitimate git binary.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled executable executes arbitrary code on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution, potentially leading to system compromise, data exfiltration, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to execute arbitrary code with the privileges of the user running the \u003ccode\u003enpm install\u003c/code\u003e command. This can lead to complete system compromise, sensitive data leakage, or denial-of-service. While the specific number of victims is unknown, any system running a vulnerable version of OpenClaw is at risk. Sectors most likely to be impacted are those relying on OpenClaw for plugin and hook management.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.24 or later to patch the vulnerability (CVE-2026-35641).\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring on \u003ccode\u003e.npmrc\u003c/code\u003e files to detect unauthorized modifications (file_event log source).\u003c/li\u003e\n\u003cli\u003eMonitor process executions where \u003ccode\u003enpm\u003c/code\u003e spawns child processes from unusual or unexpected paths, especially those outside standard installation directories (process_creation log source). Use the Sigma rule provided below to detect this behavior.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T17:17:04Z","date_published":"2026-04-10T17:17:04Z","id":"/briefs/2026-04-openclaw-code-exec/","summary":"OpenClaw before 2026.3.24 is vulnerable to arbitrary code execution via local plugin and hook installation, where an attacker can craft a .npmrc file with a git executable override to execute malicious code during npm install.","title":"OpenClaw Arbitrary Code Execution via Malicious .npmrc File","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-code-exec/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["openclaw","trust-model","system-prompt-injection","npm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw, a user-controlled local assistant, is susceptible to a vulnerability affecting its trust model. This vulnerability, present in versions 2026.4.2 and earlier, allows authenticated \u003ccode\u003e/hooks/wake\u003c/code\u003e calls and mapped \u003ccode\u003ewake\u003c/code\u003e payloads to be improperly promoted into the trusted \u003ccode\u003eSystem:\u003c/code\u003e prompt channel. This occurs because the application fails to correctly differentiate between trusted system events and untrusted user-supplied events. The issue was reported on April 9th, 2026, and addressed in version 2026.4.8. The vulnerability specifically impacts the OpenClaw trust model, which assumes a single-tenant environment; it is not applicable to multi-tenant service boundaries. Defenders need to ensure OpenClaw is updated to the patched version to mitigate potential security exploits within this trust model.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable OpenClaw instance running version 2026.4.2 or earlier.\u003c/li\u003e\n\u003cli\u003eAttacker authenticates to the OpenClaw instance.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious payload intended to be interpreted as a standard \u0026ldquo;wake\u0026rdquo; command.\u003c/li\u003e\n\u003cli\u003eAttacker sends a specially crafted \u003ccode\u003e/hooks/wake\u003c/code\u003e request or a mapped \u003ccode\u003ewake\u003c/code\u003e payload containing the malicious content.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, OpenClaw incorrectly promotes the attacker-controlled payload into the trusted \u003ccode\u003eSystem:\u003c/code\u003e prompt channel.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw assistant processes the malicious payload within the \u003ccode\u003eSystem:\u003c/code\u003e context, granting it elevated privileges within the application\u0026rsquo;s trust model.\u003c/li\u003e\n\u003cli\u003eThe malicious payload executes arbitrary commands or actions within the OpenClaw environment as a trusted system component.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, which could involve data manipulation, unauthorized access to local resources, or other malicious activities within the scope of the OpenClaw assistant.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows an attacker to inject malicious commands into the trusted system prompt channel of OpenClaw. Successful exploitation could lead to unauthorized data access, modification, or execution of arbitrary code within the OpenClaw environment. While the advisory does not specify the number of affected users, any instance running OpenClaw version 2026.4.2 or earlier is vulnerable. The primary risk is the compromise of the user\u0026rsquo;s local assistant and potentially the data it manages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.4.8 or later to remediate the vulnerability (reference: Affected Packages / Versions).\u003c/li\u003e\n\u003cli\u003eMonitor OpenClaw logs for suspicious activity related to the \u003ccode\u003e/hooks/wake\u003c/code\u003e endpoint (develop custom rules based on your OpenClaw logging configuration).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to detect potential exploitation attempts by monitoring process execution following \u003ccode\u003e/hooks/wake\u003c/code\u003e requests.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T14:22:23Z","date_published":"2026-04-09T14:22:23Z","id":"/briefs/2026-04-openclaw-trust-model/","summary":"OpenClaw versions 2026.4.2 and earlier are vulnerable to a trust model issue where authenticated wake hooks or mapped wake payloads can be promoted into the trusted System prompt channel, potentially leading to security vulnerabilities within the OpenClaw trust model.","title":"OpenClaw Trust Model Vulnerability: System Prompt Channel Injection","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-trust-model/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","npm","strapi","malware"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA threat actor has compromised the Strapi ecosystem by publishing 36 malicious NPM packages posing as legitimate Strapi plugins. This supply chain attack, discovered by SafeDep, targets users of the open-source headless CMS, Strapi, which is built on Node.js. The malicious packages contain a variety of payloads designed to compromise Strapi installations. These payloads include capabilities for Redis code execution, Docker container escape, credential harvesting, reverse shell deployment, and establishing persistent implants. The attackers specifically targeted the cryptocurrency payment gateway Guardarian, indicating a focus on financial gain and data exfiltration from this specific organization. The malicious activity was observed starting around April 6, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker publishes 36 malicious NPM packages to the NPM registry, using names that mimic legitimate Strapi plugins to entice Strapi developers to install them.\u003c/li\u003e\n\u003cli\u003eA Strapi developer installs one or more of the malicious NPM packages into their Strapi project using the \u003ccode\u003enpm install\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eUpon installation, the malicious package executes its payload, which may include Redis code execution by injecting crontab entries and deploying PHP/Node.js reverse shells.\u003c/li\u003e\n\u003cli\u003eThe payload attempts to escape Docker containers via overlay filesystem discovery, writing shells to host directories and launching a reverse shell.\u003c/li\u003e\n\u003cli\u003eThe malicious code harvests credentials from the compromised system, including database passwords, API keys, JWT secrets, Elasticsearch credentials, and wallet/key files.\u003c/li\u003e\n\u003cli\u003eThe attacker gains a reverse shell on the compromised system, allowing them to execute arbitrary commands and further explore the network.\u003c/li\u003e\n\u003cli\u003eThe malware exfiltrates Strapi configurations and Guardarian API module data to an external attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistent implants on the compromised system to maintain long-term access and control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain attack can lead to severe consequences for Strapi users, particularly those in the cryptocurrency sector. If successful, the attack allows for unauthorized access to sensitive data, including API keys, database credentials, and customer information. The direct targeting of Guardarian suggests a high-value target with potential for significant financial loss. A successful attack could result in data breaches, financial theft, and reputational damage for affected organizations. The ability to escape Docker containers further broadens the attack surface, potentially compromising the host system and other containers running on the same infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect Suspicious NPM Package Installation\u0026rdquo; Sigma rule to identify potentially malicious package installations (see rule below).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command-line arguments to facilitate detection and investigation of suspicious activity.\u003c/li\u003e\n\u003cli\u003eRotate all credentials, including database passwords, API keys, JWT secrets, and other secrets stored on systems where the malicious packages may have been installed, as recommended in the overview.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for reverse shell activity originating from Strapi servers, as described in the Attack Chain (reference network_connection log source in Sigma rules).\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring to detect unauthorized modifications to Strapi configuration files and other sensitive files (reference file_event log source in Sigma rules).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T10:00:00Z","date_published":"2026-04-07T10:00:00Z","id":"/briefs/2026-04-strapi-npm-attack/","summary":"A threat actor published 36 malicious NPM packages disguised as Strapi plugins in a supply chain attack, designed to execute code, escape containers, harvest credentials, and establish persistent implants on Linux systems targeting Strapi users, with specific focus on the Guardarian cryptocurrency payment gateway.","title":"Malicious NPM Packages Target Strapi Users","url":"https://feed.craftedsignal.io/briefs/2026-04-strapi-npm-attack/"},{"_cs_actors":["UNC1069"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply chain attack","npm","social engineering","rat","unc1069"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eOn April 4, 2026, the maintainers of the Axios HTTP client disclosed a social engineering attack targeting one of their developers. The attack, attributed to the North Korean threat actor UNC1069, involved impersonating a legitimate company to build trust with the targeted developer. The attacker used a fake Microsoft Teams update disguised as a critical error fix to deploy a remote access trojan (RAT). This RAT allowed the attackers to gain access to the developer\u0026rsquo;s system and npm credentials. The attackers then published two malicious versions of Axios (1.14.1 and 0.30.4) to the npm package registry. These malicious versions included a dependency called plain-crypto-js, which installed a RAT on macOS, Windows, and Linux systems. These versions were available for three hours, posing a supply chain risk to any systems that installed them during that period.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a target developer and initiates contact via LinkedIn/Slack, impersonating a legitimate company.\u003c/li\u003e\n\u003cli\u003eThe attacker invites the developer to a Slack workspace populated with fake profiles and staged company activity.\u003c/li\u003e\n\u003cli\u003eA meeting is scheduled on Microsoft Teams, during which a fake \u0026ldquo;RTC Connection\u0026rdquo; error message is displayed.\u003c/li\u003e\n\u003cli\u003eThe attacker prompts the developer to install a \u0026ldquo;Teams update\u0026rdquo; to resolve the error.\u003c/li\u003e\n\u003cli\u003eThe fake update is a RAT malware, granting the attacker remote access to the developer\u0026rsquo;s machine.\u003c/li\u003e\n\u003cli\u003eThe attacker steals the developer\u0026rsquo;s npm credentials, bypassing MFA due to already authenticated session.\u003c/li\u003e\n\u003cli\u003eThe attacker publishes malicious versions of the Axios package (1.14.1 and 0.30.4) to the npm registry, injecting the plain-crypto-js dependency.\u003c/li\u003e\n\u003cli\u003eSystems installing the compromised Axios versions download and execute the plain-crypto-js package, resulting in RAT deployment and credential theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe compromise of the Axios npm package created a supply chain attack impacting an unknown number of systems across various sectors. Systems that installed the malicious versions (1.14.1 and 0.30.4) within the three-hour window are considered compromised. Successful exploitation results in the installation of a remote access trojan (RAT) capable of stealing credentials, browser data, and other sensitive information from macOS, Windows, and Linux systems. This can lead to further unauthorized access, data breaches, and potential financial loss.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor npm package installations for the presence of the plain-crypto-js dependency, particularly in projects that use Axios versions 1.14.1 or 0.30.4.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for npm accounts and other developer accounts, but recognize that authenticated sessions can be hijacked.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious NPM Package Installation\u0026rdquo; to detect potentially malicious package installations based on unusual parent processes (see below).\u003c/li\u003e\n\u003cli\u003eBlock the domain associated with the malicious dependency plain-crypto-js at the DNS resolver.\u003c/li\u003e\n\u003cli\u003eEducate developers about social engineering tactics and the risks of installing software from untrusted sources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T20:30:42Z","date_published":"2026-04-04T20:30:42Z","id":"/briefs/2026-04-axios-npm-hack/","summary":"North Korean threat actors (UNC1069) compromised the Axios npm package by socially engineering a maintainer with a fake Microsoft Teams update delivering a RAT, leading to the injection of a malicious dependency and a supply chain attack.","title":"Axios npm Package Compromised via Social Engineering","url":"https://feed.craftedsignal.io/briefs/2026-04-axios-npm-hack/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","npm","javascript","rat"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 31, 2026, the official Axios node package manager (npm) package was compromised in a supply chain attack. The attack resulted in the deployment of two malicious versions, v1.14.1 and v0.30.4. Axios is a widely-used JavaScript library for making HTTP requests, with approximately 100 million downloads per week. The malicious packages were available for around three hours. The compromised packages introduced a fake runtime dependency, \u0026lsquo;plain-crypto-js\u0026rsquo;, that executes automatically after installation. This dependency then communicates with attacker-controlled infrastructure at 142.11.206.73, pulling down platform-specific payloads for Linux, MacOS, and Windows. The payloads are remote access trojans (RATs), enabling the attackers to gather information and execute additional malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromised the Axios NPM package and injected malicious code.\u003c/li\u003e\n\u003cli\u003eMalicious versions v1.14.1 and v0.30.4 were published to the NPM registry.\u003c/li\u003e\n\u003cli\u003eThe malicious packages introduce a fake runtime dependency named \u0026lsquo;plain-crypto-js\u0026rsquo;.\u003c/li\u003e\n\u003cli\u003eUpon installation of the compromised package, the \u0026lsquo;plain-crypto-js\u0026rsquo; dependency executes automatically via a post-install script.\u003c/li\u003e\n\u003cli\u003eThe dependency connects to the attacker-controlled IP address 142.11.206.73 to retrieve a platform-specific payload.\u003c/li\u003e\n\u003cli\u003eOn MacOS, a binary named \u0026ldquo;com.apple.act.mond\u0026rdquo; is downloaded and executed using zsh.\u003c/li\u003e\n\u003cli\u003eOn Windows, a PowerShell script (6202033.ps1) is downloaded, and the legitimate powershell.exe is copied to \u0026ldquo;%PROGRAM DATA%\\wt.exe\u0026rdquo;, and the ps1 script is executed with hidden and execution policy bypass flags.\u003c/li\u003e\n\u003cli\u003eOn Linux, a Python backdoor is downloaded and executed. The downloaded executables act as Remote Access Trojans (RATs) exfiltrating credentials and enabling remote management.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain attack could lead to significant compromise across numerous organizations using the Axios library. The actors exfiltrate credentials and gain remote management capabilities. All credentials present on systems that installed the malicious package should be considered compromised and immediately rotated. The widespread use of Axios means the impact could extend to many applications and systems, potentially enabling further attacks leveraging compromised credentials. Supply chain attacks like these affecting widely used libraries, as seen in 25% of the top 100 vulnerabilities in the Cisco Talos 2025 Year in Review, highlight the substantial risk they pose.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eRoll back to safe Axios versions (v1.14.0 or v0.30.3) immediately to prevent further compromise, as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eInvestigate systems that downloaded malicious packages (v1.14.1 or v0.30.4) for signs of follow-on payloads from the actor-controlled infrastructure, as described in the overview.\u003c/li\u003e\n\u003cli\u003eBlock the actor-controlled IP address 142.11.206.73 and domain Sfrclak.com at the network perimeter to prevent further communication with the malicious infrastructure, per the IOC list.\u003c/li\u003e\n\u003cli\u003eMonitor for execution of PowerShell scripts from unusual locations, specifically \u0026ldquo;%PROGRAM DATA%\\wt.exe\u0026rdquo;, as part of the attack chain.\u003c/li\u003e\n\u003cli\u003eImplement a process creation rule to alert when processes connect to external IPs using uncommon parent processes. See example rule below.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T12:00:00Z","date_published":"2026-04-04T12:00:00Z","id":"/briefs/2026-04-axios-npm-supply-chain/","summary":"A supply chain attack on the Axios NPM package injected malicious code into versions v1.14.1 and v0.30.4, leading to the deployment of platform-specific remote access trojans (RATs) after the installation of a rogue dependency that communicated with attacker-controlled infrastructure to retrieve malicious payloads for Windows, MacOS, and Linux.","title":"Axios NPM Supply Chain Attack Delivering Platform-Specific RATs","url":"https://feed.craftedsignal.io/briefs/2026-04-axios-npm-supply-chain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","npm","rat","credential-theft"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 31, 2026, a supply chain attack targeted the \u003ccode\u003eaxios\u003c/code\u003e npm package, a widely used HTTP client library for JavaScript. Compromised versions 1.14.1 and 0.30.4 of the library were injected with malicious code that installed a cross-platform Remote Access Trojan (RAT) on systems that installed the affected versions of \u003ccode\u003e@usebruno/cli\u003c/code\u003e. This attack specifically impacted users of the \u003ccode\u003e@usebruno/cli\u003c/code\u003e who performed an \u003ccode\u003enpm install\u003c/code\u003e within a roughly 3-hour window, between 00:21 UTC and 03:30 UTC. The malicious code was designed to execute during the \u003ccode\u003epostinstall\u003c/code\u003e phase of the package installation, indicating a targeted effort to compromise developer environments. This incident highlights the increasing risk of supply chain attacks targeting open-source software and the importance of verifying the integrity of third-party dependencies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker compromises the \u003ccode\u003eaxios\u003c/code\u003e npm package, injecting malicious code into versions 1.14.1 and 0.30.4.\u003c/li\u003e\n\u003cli\u003eThe compromised \u003ccode\u003eaxios\u003c/code\u003e package is published to the npm registry.\u003c/li\u003e\n\u003cli\u003eA user of \u003ccode\u003e@usebruno/cli\u003c/code\u003e executes \u003ccode\u003enpm install\u003c/code\u003e within the attack window (00:21 UTC - 03:30 UTC on March 31, 2026).\u003c/li\u003e\n\u003cli\u003eThe npm package manager resolves the dependency chain and downloads the compromised \u003ccode\u003eaxios\u003c/code\u003e package as a dependency of \u003ccode\u003e@usebruno/cli\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious code within the \u003ccode\u003eaxios\u003c/code\u003e package executes during the \u003ccode\u003epostinstall\u003c/code\u003e script phase of the installation process.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epostinstall\u003c/code\u003e script downloads and installs a cross-platform Remote Access Trojan (RAT) on the user\u0026rsquo;s system.\u003c/li\u003e\n\u003cli\u003eThe RAT establishes a connection to a remote command-and-control (C2) server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RAT to exfiltrate credentials and other sensitive data from the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain attack could have resulted in widespread compromise of developer systems that used the \u003ccode\u003e@usebruno/cli\u003c/code\u003e. While the number of affected users is unknown, the incident could have led to the exfiltration of sensitive credentials and proprietary source code, potentially enabling further attacks against the affected organizations and their customers. The incident underscores the need for robust security measures in software development pipelines and continuous monitoring of third-party dependencies for malicious activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIf \u003ccode\u003e@usebruno/cli\u003c/code\u003e was installed during the affected window, reinstall dependencies to ensure a clean version of \u003ccode\u003eaxios\u003c/code\u003e is used (reference: Impact section).\u003c/li\u003e\n\u003cli\u003eRotate all credentials and secrets that were present on systems where \u003ccode\u003e@usebruno/cli\u003c/code\u003e was installed during the affected window (reference: Impact section).\u003c/li\u003e\n\u003cli\u003eReview and implement the security guidance provided in the Aikido Security blog post to further harden your systems (reference: \u003ca href=\"https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat)\"\u003ehttps://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unusual processes spawned by npm or node processes, using the provided Sigma rule (reference: Sigma rule - \u0026ldquo;Detect Suspicious Process Spawned by NPM\u0026rdquo;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T12:00:00Z","date_published":"2026-04-03T12:00:00Z","id":"/briefs/2026-04-axios-supply-chain/","summary":"Compromised versions of the `axios` npm package introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT), impacting users of `@usebruno/cli` who ran `npm install` between 00:21 UTC and ~03:30 UTC on March 31, 2026, potentially leading to credential exfiltration.","title":"Compromised Axios Library Leads to RAT Deployment via @usebruno/cli","url":"https://feed.craftedsignal.io/briefs/2026-04-axios-supply-chain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["arbitrary-file-read","credential-exfiltration","openclaw","npm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003eopenclaw\u003c/code\u003e npm package, versions 2026.3.28 and earlier, contains a vulnerability related to media local roots self-whitelisting in the \u003ccode\u003eappendLocalMediaParentRoots\u003c/code\u003e function. This flaw enables a malicious model to initiate arbitrary file reads on the host system. While the tool-fs root expansion requires prior configuration, the vulnerability can still be exploited, resulting in a narrower impact than a default-critical scenario. The vulnerability was reported by @tdjackey and patched in version 2026.3.31. Defenders should ensure they are running version 2026.3.31 or later of the \u003ccode\u003eopenclaw\u003c/code\u003e package to mitigate the risk of arbitrary file read and potential credential exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious actor crafts or modifies an existing OpenClaw model.\u003c/li\u003e\n\u003cli\u003eThe model includes instructions to trigger the \u003ccode\u003eappendLocalMediaParentRoots\u003c/code\u003e function within the \u003ccode\u003esrc/media/local-roots.ts\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eDue to the self-whitelisting behavior, the function expands the allowed media parent directories, potentially including sensitive system directories.\u003c/li\u003e\n\u003cli\u003eThe model leverages the expanded directory access to request the reading of arbitrary files on the host system.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eopenclaw\u003c/code\u003e application processes the model\u0026rsquo;s file read request without proper validation due to the bypassed whitelisting.\u003c/li\u003e\n\u003cli\u003eSensitive files, such as configuration files or credential stores, are read by the application.\u003c/li\u003e\n\u003cli\u003eThe extracted data, including credentials, are then potentially exfiltrated by the malicious model.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive data or systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to read arbitrary files on the host system where the \u003ccode\u003eopenclaw\u003c/code\u003e application is running. This can lead to the exfiltration of sensitive information, including credentials, API keys, or other confidential data. While the exact number of affected installations is unknown, any system running a vulnerable version of the \u003ccode\u003eopenclaw\u003c/code\u003e package (\u0026lt;=2026.3.28) is susceptible. The impact is narrowed because the tool-fs root expansion requires prior configuration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003eopenclaw\u003c/code\u003e npm package to version 2026.3.31 or later to remediate the vulnerability (reference: Affected Packages / Versions).\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization to prevent arbitrary file paths from being processed by the \u003ccode\u003eappendLocalMediaParentRoots\u003c/code\u003e function (reference: \u003ccode\u003esrc/media/local-roots.ts\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect attempts to access sensitive files via the \u003ccode\u003eopenclaw\u003c/code\u003e application (reference: Sigma rule below).\u003c/li\u003e\n\u003cli\u003eReview and restrict the tool-fs root expansion configuration to minimize the impact of potential exploitation (reference: Current Maintainer Triage).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T02:53:58Z","date_published":"2026-04-03T02:53:58Z","id":"/briefs/2026-04-openclaw-file-read/","summary":"The openclaw package is vulnerable to arbitrary file read and credential exfiltration due to media local roots self-whitelisting in `appendLocalMediaParentRoots`, allowing a model to initiate arbitrary host file reads, potentially leading to credential exfiltration.","title":"OpenClaw Arbitrary File Read and Credential Exfiltration Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-file-read/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["sandbox-bypass","dependency-vulnerability","npm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003eopenclaw\u003c/code\u003e npm package, a tool used for [describe package functionality if known, else leave generic], contains a critical vulnerability related to how heartbeat contexts are inherited. Specifically, improper handling of the \u003ccode\u003esenderIsOwner\u003c/code\u003e property during context inheritance allows a malicious actor to bypass intended sandbox restrictions. This vulnerability affects \u003ccode\u003eopenclaw\u003c/code\u003e versions up to and including 2026.3.28. This issue was reported by @AntAISecurityLab and patched in version 2026.3.31, released on March 31, 2026. Defenders need to ensure that their \u003ccode\u003eopenclaw\u003c/code\u003e dependencies are updated to the patched version or later to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious package that includes the vulnerable \u003ccode\u003eopenclaw\u003c/code\u003e version (\u0026lt;=2026.3.28) as a dependency.\u003c/li\u003e\n\u003cli\u003eThe malicious package leverages the heartbeat functionality of \u003ccode\u003eopenclaw\u003c/code\u003e to establish an initial context.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the heartbeat context inheritance mechanism to gain control of the \u003ccode\u003esenderIsOwner\u003c/code\u003e property.\u003c/li\u003e\n\u003cli\u003eBy exploiting the inheritance flaw, the attacker escalates privileges within the \u003ccode\u003eopenclaw\u003c/code\u003e sandbox environment.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes the escalated privileges to execute arbitrary code within the sandbox.\u003c/li\u003e\n\u003cli\u003eThe arbitrary code gains access to sensitive resources or data within the application utilizing the \u003ccode\u003eopenclaw\u003c/code\u003e package.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the compromised data or uses the compromised application as a pivot point for further attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass the \u003ccode\u003eopenclaw\u003c/code\u003e sandbox, potentially leading to arbitrary code execution within applications using the vulnerable package. While the exact scope of impact depends on the application using \u003ccode\u003eopenclaw\u003c/code\u003e, the critical severity suggests significant potential for data breaches, service disruption, or further lateral movement within the compromised environment. Given the widespread use of npm packages, a successful exploit could affect a large number of applications and users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003eopenclaw\u003c/code\u003e npm package to version 2026.3.31 or later. This version contains the fix for the identified vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect potential exploitation attempts in your environment. Focus on monitoring process creation and file events related to \u003ccode\u003eopenclaw\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement software composition analysis (SCA) tools to automatically detect vulnerable dependencies like \u003ccode\u003eopenclaw\u003c/code\u003e in your projects.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T20:59:29Z","date_published":"2026-04-02T20:59:29Z","id":"/briefs/2026-04-openclaw-sandbox-bypass/","summary":"A critical vulnerability in the openclaw npm package (\u003c=2026.3.28) allows a heartbeat context inheritance to bypass the sandbox via senderIsOwner escalation, patched in version 2026.3.31.","title":"OpenClaw Sandbox Bypass via Heartbeat Context Inheritance","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-sandbox-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["openclaw","npm","package-index-redirection","environment-variable-injection"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003eopenclaw\u003c/code\u003e npm package, versions 2026.3.28 and earlier, contains a vulnerability that allows for the redirection of Python package-index traffic. This is due to insufficient sanitization of the \u003ccode\u003ePIP_INDEX_URL\u003c/code\u003e and \u003ccode\u003eUV_INDEX_URL\u003c/code\u003e environment variables during host execution. An attacker can potentially exploit this vulnerability to redirect package installation traffic to a malicious index, potentially leading to the installation of compromised packages. The scope of this vulnerability is limited to approved or allowlisted package-management execution paths, mitigating the risk of arbitrary remote execution. Version 2026.3.31 and later contain the fix. The vulnerability was reported by @nexrin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a system using a vulnerable version (\u0026lt;=2026.3.28) of the \u003ccode\u003eopenclaw\u003c/code\u003e npm package.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to the system or its environment configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker sets either the \u003ccode\u003ePIP_INDEX_URL\u003c/code\u003e or \u003ccode\u003eUV_INDEX_URL\u003c/code\u003e environment variable to point to a malicious Python package index server.\u003c/li\u003e\n\u003cli\u003eThe system executes a package installation command (e.g., \u003ccode\u003epip install \u0026lt;package\u0026gt;\u003c/code\u003e) through \u003ccode\u003eopenclaw\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eopenclaw\u003c/code\u003e, without proper sanitization, uses the attacker-controlled environment variable when resolving package dependencies.\u003c/li\u003e\n\u003cli\u003eThe package manager connects to the malicious index server specified in the \u003ccode\u003ePIP_INDEX_URL\u003c/code\u003e or \u003ccode\u003eUV_INDEX_URL\u003c/code\u003e variable.\u003c/li\u003e\n\u003cli\u003eThe attacker serves malicious or backdoored Python packages through the rogue index.\u003c/li\u003e\n\u003cli\u003eThe system installs the malicious packages, potentially compromising the system with arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could lead to the installation of malicious Python packages on systems utilizing the vulnerable \u003ccode\u003eopenclaw\u003c/code\u003e version. This could result in arbitrary code execution, data theft, or other malicious activities, depending on the contents of the malicious packages. The scope is somewhat limited since only allowlisted execution paths are affected, which reduces the blast radius.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003eopenclaw\u003c/code\u003e npm package to version 2026.3.31 or later to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor process executions involving \u003ccode\u003eopenclaw\u003c/code\u003e and the use of \u003ccode\u003ePIP_INDEX_URL\u003c/code\u003e or \u003ccode\u003eUV_INDEX_URL\u003c/code\u003e environment variables. Deploy the Sigma rule \u003ccode\u003eDetect OpenClaw Using Suspicious Index URL\u003c/code\u003e to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement strict allowlisting of package management execution paths to further limit the potential impact.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging to capture command line arguments and environment variables for the \u003ccode\u003eopenclaw\u003c/code\u003e process.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T20:57:44Z","date_published":"2026-04-02T20:57:44Z","id":"/briefs/2026-04-openclaw-index-redirect/","summary":"The openclaw npm package is vulnerable to Python package-index redirection through host execution due to improper sanitization of `PIP_INDEX_URL` and `UV_INDEX_URL`, affecting versions 2026.3.28 and earlier.","title":"OpenClaw NPM Package Vulnerable to Python Package Index Redirection","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-index-redirect/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","npm","javascript"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 31, 2026 (UTC), the Axios npm package, a popular JavaScript library for making HTTP/S requests used by millions of applications, was targeted in a supply chain attack. A compromised maintainer account was used to publish malicious versions of the package, specifically \u003ca href=\"mailto:axios@1.14.1\"\u003eaxios@1.14.1\u003c/a\u003e and \u003ca href=\"mailto:axios@0.30.4\"\u003eaxios@0.30.4\u003c/a\u003e, between approximately 00:21 and 03:30 UTC. This incident highlights the risks associated with software supply chains and the potential for attackers to inject malicious code into widely used components, impacting countless downstream applications. Defenders should prioritize monitoring their dependencies and implementing measures to detect and prevent such attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCompromise Maintainer Account:\u003c/strong\u003e An attacker gains unauthorized access to the credentials of an Axios npm package maintainer.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePublish Malicious Package Versions:\u003c/strong\u003e The attacker uses the compromised account to publish malicious versions of the Axios package (\u003ca href=\"mailto:axios@1.14.1\"\u003eaxios@1.14.1\u003c/a\u003e and \u003ca href=\"mailto:axios@0.30.4\"\u003eaxios@0.30.4\u003c/a\u003e) to the npm registry.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDependency Resolution:\u003c/strong\u003e Developers or automated build systems unknowingly download and incorporate the malicious Axios versions into their projects during dependency resolution.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Code Execution:\u003c/strong\u003e The malicious code within the Axios package executes within the context of the affected applications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (If Applicable):\u003c/strong\u003e Depending on the vulnerabilities exploited, the attacker may attempt to escalate privileges within the compromised environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Lateral Movement:\u003c/strong\u003e The attacker uses the compromised application as a beachhead to exfiltrate sensitive data or move laterally to other systems on the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEstablish Persistence:\u003c/strong\u003e The attacker establishes persistent access to the compromised environment to maintain control.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAchieve Objectives:\u003c/strong\u003e The attacker achieves their ultimate objectives, which could include data theft, system disruption, or further compromise of the software supply chain.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain attack on the Axios npm package has the potential to affect millions of applications that depend on the library. Successful exploitation could lead to data breaches, unauthorized access to systems, and widespread disruption of services. The exact scope of the impact depends on the nature of the malicious code injected into the Axios package and the vulnerabilities it exploits.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor npm package installations for the presence of \u003ca href=\"mailto:axios@1.14.1\"\u003eaxios@1.14.1\u003c/a\u003e and \u003ca href=\"mailto:axios@0.30.4\"\u003eaxios@0.30.4\u003c/a\u003e and investigate any occurrences (refer to the \u003cstrong\u003eOverview\u003c/strong\u003e section).\u003c/li\u003e\n\u003cli\u003eImplement integrity checks for npm packages to detect unauthorized modifications to dependencies.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious process execution within applications using the Axios library (see \u003cstrong\u003erule: \u0026ldquo;Detect Suspicious Process Execution from Axios\u0026rdquo;\u003c/strong\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T21:04:21Z","date_published":"2026-03-31T21:04:21Z","id":"/briefs/2026-03-axios-supply-chain/","summary":"The widely used Axios npm package was compromised via a supply chain attack on March 31, 2026, resulting in the publication of malicious versions through a compromised maintainer account.","title":"Axios npm Package Compromised in Supply Chain Attack","url":"https://feed.craftedsignal.io/briefs/2026-03-axios-supply-chain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["openclaw","symlink-traversal","vulnerability","npm","rce","persistence"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003eopenclaw\u003c/code\u003e npm package is vulnerable to a symlink traversal vulnerability (CVE-2026-32013) affecting versions 2026.2.22 and earlier. The vulnerability lies in the \u003ccode\u003eagents.create\u003c/code\u003e and \u003ccode\u003eagents.update\u003c/code\u003e handlers within the \u003ccode\u003esrc/gateway/server-methods/agents.ts\u003c/code\u003e file. These handlers use \u003ccode\u003efs.appendFile\u003c/code\u003e on the \u003ccode\u003eIDENTITY.md\u003c/code\u003e file without proper symlink containment checks. An attacker capable of placing a symlink within the agent workspace can redirect the \u003ccode\u003eIDENTITY.md\u003c/code\u003e path to point to arbitrary files on the system, allowing them to append attacker-controlled content to these files. This can lead to serious consequences such as remote code execution by modifying \u003ccode\u003e/etc/crontab\u003c/code\u003e, persistent code execution by modifying shell configuration files like \u003ccode\u003e~/.bashrc\u003c/code\u003e, or unauthorized SSH access by modifying \u003ccode\u003e~/.ssh/authorized_keys\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the agent workspace.\u003c/li\u003e\n\u003cli\u003eThe attacker plants a symbolic link named \u003ccode\u003eIDENTITY.md\u003c/code\u003e within the agent workspace. This symlink points to a sensitive system file, such as \u003ccode\u003e/etc/crontab\u003c/code\u003e or \u003ccode\u003e~/.ssh/authorized_keys\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eensureAgentWorkspace\u003c/code\u003e function is called, but the exclusive-create flag (\u003ccode\u003ewx\u003c/code\u003e) skips creation due to the existing symlink (EEXIST error).\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the \u003ccode\u003eagents.create\u003c/code\u003e or \u003ccode\u003eagents.update\u003c/code\u003e API endpoint, for example, by sending an HTTP POST request.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eagents.create\u003c/code\u003e or \u003ccode\u003eagents.update\u003c/code\u003e handler constructs the path to \u003ccode\u003eIDENTITY.md\u003c/code\u003e using \u003ccode\u003epath.join(workspaceDir, DEFAULT_IDENTITY_FILENAME)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003efs.appendFile\u003c/code\u003e function is called to append agent metadata (name, emoji, avatar) to the \u003ccode\u003eIDENTITY.md\u003c/code\u003e file. Because \u003ccode\u003efs.appendFile\u003c/code\u003e follows symlinks, the content is written to the attacker-controlled target file.\u003c/li\u003e\n\u003cli\u003eAttacker-controlled data is appended to the target file.\u003c/li\u003e\n\u003cli\u003eIf the target file is a cron configuration file, this leads to remote code execution. If it\u0026rsquo;s an SSH authorized_keys file, this leads to unauthorized access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to append attacker-controlled content to arbitrary files on the system. This can lead to:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eRemote Code Execution:\u003c/strong\u003e By appending malicious entries to \u003ccode\u003e/etc/crontab\u003c/code\u003e or user crontab files.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistent Code Execution:\u003c/strong\u003e By modifying shell configuration files like \u003ccode\u003e~/.bashrc\u003c/code\u003e or \u003ccode\u003e~/.profile\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthorized SSH Access:\u003c/strong\u003e By appending SSH keys to \u003ccode\u003e~/.ssh/authorized_keys\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eService Disruption:\u003c/strong\u003e By modifying application configuration files.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThe vulnerability affects \u003ccode\u003eopenclaw\u003c/code\u003e versions 2026.2.22 and earlier, and no patches are currently available. The number of affected systems depends on the adoption rate of the \u003ccode\u003eopenclaw\u003c/code\u003e package.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor file creation events within agent workspace directories for the creation of symbolic links using file_event logs.\u003c/li\u003e\n\u003cli\u003eImplement and deploy the provided Sigma rule to detect exploitation attempts by monitoring \u003ccode\u003efs.appendFile\u003c/code\u003e calls related to IDENTITY.md without symlink resolution.\u003c/li\u003e\n\u003cli\u003eRestrict access to the agent workspace directory to prevent attackers from planting symlinks.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of \u003ccode\u003eopenclaw\u003c/code\u003e when available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-27T14:00:00Z","date_published":"2026-03-27T14:00:00Z","id":"/briefs/2026-03-openclaw-symlink/","summary":"OpenClaw is vulnerable to symlink traversal via IDENTITY.md appendFile in agents.create/update. An attacker who can place a symlink in the agent workspace can hijack the IDENTITY.md path to append attacker-controlled content to arbitrary files on the system leading to remote code execution, persistent code execution, unauthorized SSH access, or service disruption.","title":"OpenClaw Symlink Traversal via IDENTITY.md appendFile in agents.create/update","url":"https://feed.craftedsignal.io/briefs/2026-03-openclaw-symlink/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","vulnerability","npm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003eopenclaw\u003c/code\u003e npm package, a tool likely used for decentralized communication or cryptocurrency-related applications, contains a vulnerability affecting versions prior to 2026.3.22. Specifically, the vulnerability lies in the handling of inbound Direct Messages (DMs) within the Nostr protocol implementation. The flaw allows for crypto operations and dispatch work to be triggered before proper sender and pairing policy enforcement. This means an attacker could potentially initiate resource-intensive computations on a vulnerable system without proper authentication or authorization. The issue was reported by @kuranikaran and resolved in version 2026.3.22 with improvements to authorization checks in \u003ccode\u003eextensions/nostr/src/channel.ts\u003c/code\u003e and the introduction of pre-crypto authorization and rate-limiting guardrails in \u003ccode\u003eextensions/nostr/src/nostr-bus.ts\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious Nostr DM specifically designed to trigger computationally expensive crypto operations within OpenClaw.\u003c/li\u003e\n\u003cli\u003eAttacker sends the malicious DM to a user running a vulnerable version of the \u003ccode\u003eopenclaw\u003c/code\u003e package.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw application receives the DM and, due to the vulnerability, proceeds to decrypt the message content before validating the sender\u0026rsquo;s authorization.\u003c/li\u003e\n\u003cli\u003eOpenClaw attempts to perform cryptographic operations, such as decryption or signature verification, based on the contents of the malicious DM.\u003c/li\u003e\n\u003cli\u003eThe application dispatches internal tasks or events based on the decrypted (but unauthorized) message content.\u003c/li\u003e\n\u003cli\u003eRepeatedly sending these crafted messages can lead to denial of service due to CPU exhaustion or memory over-utilization.\u003c/li\u003e\n\u003cli\u003e(If applicable) Depending on the purpose of the cryptographic operations, the attacker may be able to glean partial information or influence the application\u0026rsquo;s state without full authentication.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could lead to denial-of-service conditions due to excessive CPU usage and memory consumption on systems running vulnerable versions of OpenClaw. Attackers could potentially trigger resource-intensive cryptographic operations without proper authorization, impacting the availability and performance of the application. In specific scenarios, and depending on the application\u0026rsquo;s functionality, partial information disclosure or unauthorized state changes might be possible. This vulnerability affects any application using the \u003ccode\u003eopenclaw\u003c/code\u003e npm package prior to version 2026.3.22.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003eopenclaw\u003c/code\u003e npm package to version 2026.3.22 or later to remediate the vulnerability (reference affected versions).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusually high volumes of inbound Nostr DM messages targeting applications using the \u003ccode\u003eopenclaw\u003c/code\u003e package (network_connection log source).\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on Nostr DM processing to prevent denial-of-service attacks (network_connection/firewall log source).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious activity related to the vulnerable code paths (process_creation/file_event log source).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T19:09:45Z","date_published":"2026-03-26T19:09:45Z","id":"/briefs/2026-04-openclaw-unauth-crypto/","summary":"The openclaw npm package before version 2026.3.22 allows unauthorized pre-authentication computation due to improper handling of inbound Nostr DMs, where crypto and dispatch work are performed before enforcing sender and pairing policies.","title":"OpenClaw Nostr DM Unauthorized Crypto Computation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-unauth-crypto/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["command-injection","npm","CVE-2026-26830","pdf"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe pdf-image npm package, up to version 2.0.0, contains a critical vulnerability (CVE-2026-26830) that allows for OS command injection. This vulnerability stems from the way the package handles user-provided file paths when processing PDF files. Specifically, the \u003ccode\u003econstructGetInfoCommand\u003c/code\u003e and \u003ccode\u003econstructConvertCommandForPage\u003c/code\u003e functions utilize \u003ccode\u003eutil.format()\u003c/code\u003e to incorporate the \u003ccode\u003epdfFilePath\u003c/code\u003e parameter directly into shell command strings. These commands are then executed using…\u003c/p\u003e\n","date_modified":"2026-03-25T15:16:38Z","date_published":"2026-03-25T15:16:38Z","id":"/briefs/2026-03-pdf-image-command-injection/","summary":"The pdf-image npm package through version 2.0.0 is vulnerable to OS command injection via the pdfFilePath parameter due to improper sanitization, potentially leading to arbitrary code execution.","title":"pdf-image npm Package Command Injection Vulnerability (CVE-2026-26830)","url":"https://feed.craftedsignal.io/briefs/2026-03-pdf-image-command-injection/"},{"_cs_actors":["TeamPCP"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","malware","npm","canisterworm"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 21, 2026, it was reported that threat actor TeamPCP successfully deployed CanisterWorm, a malicious worm, onto the NPM package registry. This followed a compromise of Trivy, a widely-used open-source vulnerability scanner. The specifics of the Trivy compromise are not detailed in this brief, but it likely involved exploiting vulnerabilities within Trivy or its infrastructure to gain unauthorized access and the ability to publish malicious packages. The scope of this incident affects developers and organizations that rely on NPM packages and utilize Trivy in their software development lifecycle. Defenders should prioritize detecting and mitigating the spread of CanisterWorm within their environments, focusing on identifying compromised Trivy instances and monitoring for suspicious activity related to NPM package installations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Compromise: TeamPCP gains unauthorized access to Trivy infrastructure, potentially exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eMalware Injection: The attackers inject malicious code into a legitimate Trivy package or create a new package containing the CanisterWorm payload.\u003c/li\u003e\n\u003cli\u003eNPM Deployment: TeamPCP publishes the compromised or new package to the NPM registry, making it available for download by unsuspecting users.\u003c/li\u003e\n\u003cli\u003ePackage Installation: Developers unknowingly download and install the malicious package through NPM, integrating CanisterWorm into their projects.\u003c/li\u003e\n\u003cli\u003eWorm Propagation: CanisterWorm begins to propagate itself by infecting other NPM packages and dependencies within the compromised project.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The worm replicates and spreads to other systems and projects that depend on the infected packages.\u003c/li\u003e\n\u003cli\u003ePersistence: The malware establishes persistence within infected systems to maintain its presence and continue spreading.\u003c/li\u003e\n\u003cli\u003ePayload Delivery: CanisterWorm executes its malicious payload, which could include data theft, code injection, or other harmful activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe deployment of CanisterWorm on NPM poses a significant threat to the software supply chain. Successful infection can lead to widespread compromise of applications and systems that rely on NPM packages. The specific number of victims and the full extent of damage is currently unknown, but the incident has the potential to affect numerous organizations across various sectors that utilize NPM and Trivy in their development processes. Successful exploitation could result in data breaches, service disruptions, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor NPM package installations for suspicious activity and unexpected dependencies to identify potential CanisterWorm infections.\u003c/li\u003e\n\u003cli\u003eImplement integrity checks for NPM packages to verify their authenticity and prevent the installation of tampered packages.\u003c/li\u003e\n\u003cli\u003eAnalyze process creation events for suspicious processes originating from NPM-related processes using the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eRegularly scan systems for known malware signatures to detect CanisterWorm and other potential threats.\u003c/li\u003e\n\u003cli\u003eReview and strengthen the security of your software supply chain to mitigate the risk of future attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-22T10:00:00Z","date_published":"2026-03-22T10:00:00Z","id":"/briefs/2026-03-teampcp-canisterworm/","summary":"TeamPCP deployed the CanisterWorm malware on the NPM package registry following a compromise of the Trivy scanning tool.","title":"TeamPCP Deploys CanisterWorm on NPM After Trivy Compromise","url":"https://feed.craftedsignal.io/briefs/2026-03-teampcp-canisterworm/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","rat","npm","pylangghost"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA new remote access trojan (RAT) named PylangGhost has been discovered on the npm registry. This marks the first known instance of this specific RAT being distributed via a software supply chain attack on the npm ecosystem. The RAT is named for its use of Python and potentially for obfuscation or evasion techniques. The affected npm packages are designed to inject malicious code into projects that depend on them. This malicious code facilitates unauthorized remote access to infected systems, thereby providing threat actors with the ability to exfiltrate sensitive data, deploy further malware, or perform other malicious activities. This is a supply chain attack that endangers developers and applications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA developer installs a malicious package from the npm registry containing PylangGhost.\u003c/li\u003e\n\u003cli\u003eDuring the installation process, a post-install script or similar mechanism executes, injecting the PylangGhost RAT into the developer\u0026rsquo;s environment.\u003c/li\u003e\n\u003cli\u003eThe RAT establishes a connection to a command-and-control (C2) server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe C2 server sends commands to the infected system, instructing the RAT to perform specific actions.\u003c/li\u003e\n\u003cli\u003eThe RAT executes the commands, potentially including data exfiltration, downloading and executing additional payloads, or establishing persistence.\u003c/li\u003e\n\u003cli\u003eSensitive data, such as credentials, API keys, or source code, is exfiltrated from the compromised system to the C2 server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access and control over the compromised system, enabling further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe presence of PylangGhost on the npm registry introduces a significant supply chain risk.  Successful infection allows attackers to gain remote access to developer systems, potentially leading to the theft of sensitive source code, credentials, and other proprietary information. The compromise can extend to applications built using the infected packages, impacting downstream users and potentially leading to widespread data breaches or service disruptions. The number of affected victims is currently unknown, but the risk is widespread due to the popularity of the npm registry.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor npm package installations for suspicious post-install scripts or unexpected network connections (see related Sigma rules).\u003c/li\u003e\n\u003cli\u003eImplement strong dependency scanning tools to identify and remove potentially malicious packages from your projects.\u003c/li\u003e\n\u003cli\u003eAnalyze network connection logs for connections to unusual or malicious domains after npm package installations (see related Sigma rules).\u003c/li\u003e\n\u003cli\u003eEnable process monitoring for any processes spawned during or after npm package installations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-16T04:45:53Z","date_published":"2026-03-16T04:45:53Z","id":"/briefs/2024-01-pylangghost-npm/","summary":"A new remote access trojan (RAT) named PylangGhost has been observed on the npm registry, posing a supply chain risk to developers and applications using affected packages.","title":"PylangGhost RAT Observed on npm Registry","url":"https://feed.craftedsignal.io/briefs/2024-01-pylangghost-npm/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["openclaw"],"_cs_severities":["high"],"_cs_tags":["vulnerability","npm","token spoofing"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eOpenClaw, a package available on npm, contains a vulnerability in versions 2026.4.21 and earlier that allows for token spoofing within the MCP loopback path. This flaw stems from the acceptance of spoofable owner-context metadata from request headers. A malicious actor could exploit this by crafting requests that falsely present them as the owner, thereby bypassing authorization checks and potentially gaining unauthorized access to operations intended only for the owner. The vulnerability was reported by @VladimirEliTokarev and patched in version 2026.4.22. This issue matters for defenders because it can lead to privilege escalation and unauthorized modification of system configurations or data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable OpenClaw instance (version \u0026lt;= 2026.4.21) utilizing the MCP loopback.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request targeting the MCP loopback endpoint.\u003c/li\u003e\n\u003cli\u003eAttacker injects a forged \u0026ldquo;sender-owner\u0026rdquo; header into the HTTP request, claiming owner privileges.\u003c/li\u003e\n\u003cli\u003eThe vulnerable OpenClaw instance incorrectly trusts the spoofed \u0026ldquo;sender-owner\u0026rdquo; header.\u003c/li\u003e\n\u003cli\u003eThe application bypasses owner authorization checks due to the forged header.\u003c/li\u003e\n\u003cli\u003eAttacker gains access to owner-gated operations within the MCP loopback.\u003c/li\u003e\n\u003cli\u003eAttacker performs unauthorized actions, such as modifying configurations or accessing sensitive data.\u003c/li\u003e\n\u003cli\u003eAttacker maintains unauthorized access, potentially escalating privileges further within the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could allow unauthorized access to critical system functions intended only for the owner. This could lead to configuration changes, data breaches, or other malicious activities depending on the specific owner-gated operations exposed within the OpenClaw MCP loopback. The severity depends on the permissions granted to the \u0026ldquo;owner\u0026rdquo; context within the application but could be critical.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.4.22 or later to remediate the vulnerability as described in the fix commit 3cb1a56bfc9579a0f2336f9cfa12a8a744332a19.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect suspicious HTTP requests containing potentially forged \u0026ldquo;sender-owner\u0026rdquo; headers targeting MCP loopback endpoints using the Sigma rule \u003ccode\u003eDetect OpenClaw MCP Loopback Owner Spoofing\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview and audit existing OpenClaw deployments to identify and patch vulnerable instances quickly.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"/briefs/2024-01-openclaw-token-spoofing/","summary":"A vulnerability in OpenClaw versions 2026.4.21 and earlier allows a non-owner loopback client to spoof the owner context by manipulating request headers, potentially gaining unauthorized access to owner-gated operations.","title":"OpenClaw MCP Loopback Token Spoofing Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-openclaw-token-spoofing/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["electerm"],"_cs_severities":["critical"],"_cs_tags":["command-injection","electerm","npm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical command injection vulnerability has been identified in Electerm, specifically affecting users who install the application via \u003ccode\u003enpm install -g electerm\u003c/code\u003e on Linux systems. The vulnerability resides within the \u003ccode\u003erunLinux()\u003c/code\u003e function in \u003ccode\u003egithub.com/elcterm/electerm/npm/install.js\u003c/code\u003e. This function lacks proper validation when appending remote version strings into an \u003ccode\u003eexec(\u0026quot;rm -rf ...\u0026quot;)\u003c/code\u003e command. An attacker capable of controlling the remote release metadata (e.g., version string, release name) served by Electerm\u0026rsquo;s update server could exploit this flaw to execute arbitrary system commands. This could lead to tampering with local files and a complete compromise of development or runtime assets. This vulnerability affects Electerm versions prior to 3.3.8.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains control over the Electerm update server or performs a man-in-the-middle attack.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts malicious release metadata, including a crafted version string containing command injection payloads.\u003c/li\u003e\n\u003cli\u003eA user on a Linux system executes \u003ccode\u003enpm install -g electerm\u003c/code\u003e to install or update Electerm.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003einstall.js\u003c/code\u003e script fetches the malicious release metadata from the compromised update server.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erunLinux()\u003c/code\u003e function appends the attacker-controlled version string directly into an \u003ccode\u003eexec(\u0026quot;rm -rf ...\u0026quot;)\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eexec()\u003c/code\u003e function executes the command, resulting in arbitrary command execution with the privileges of the user running \u003ccode\u003enpm install\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker can then tamper with local files, install backdoors, or escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves complete system compromise, potentially exfiltrating sensitive data or using the compromised system as a pivot point.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to execute arbitrary system commands on the victim\u0026rsquo;s machine. This can lead to complete system compromise, including unauthorized access to sensitive data, installation of malware, and further propagation of the attack within the network. Given the nature of \u003ccode\u003enpm install\u003c/code\u003e, developers are primarily at risk. The impact could be significant for development environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the following rule to detect command injection attempts within npm installations referencing the electerm package: \u003ccode\u003eElecterm NPM install Command Injection\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to unexpected or suspicious update servers that could be serving malicious Electerm release metadata using network connection logs.\u003c/li\u003e\n\u003cli\u003eWhile the vulnerability is patched in later versions, ensure users are aware of the risks associated with running older versions of Electerm (\u003ccode\u003e\u0026lt; 3.3.8\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-electerm-command-injection/","summary":"A command injection vulnerability exists in electerm's install.js due to insufficient validation in the runLinux() function, allowing attackers to execute arbitrary commands by manipulating remote release metadata.","title":"Electerm Command Injection Vulnerability via runLinux Function","url":"https://feed.craftedsignal.io/briefs/2024-01-electerm-command-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["openclaw (\u003c= 2026.4.21)"],"_cs_severities":["high"],"_cs_tags":["sandbox-escape","symlink","race-condition","npm"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eOpenClaw, a tool available via npm, contains a vulnerability in versions 2026.4.21 and earlier that could allow for a sandbox escape. This vulnerability stems from a time-of-check/time-of-use (TOCTOU) race condition during filesystem writes within the OpenShell sandbox environment. An attacker could potentially exploit this vulnerability by manipulating symlinks to redirect write operations outside of the intended local mount root. This can occur because OpenClaw does not properly validate the target of write operations against the mount root, leaving it susceptible to symlink-based redirection attacks. Successful exploitation could allow an attacker to modify sensitive files outside the sandbox. The vulnerability is fixed in version 2026.4.22.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious OpenClaw package or leverages an existing package.\u003c/li\u003e\n\u003cli\u003eThe package contains a symlink within the intended sandbox directory.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw application attempts to write to a file via the symlink.\u003c/li\u003e\n\u003cli\u003eBetween the time OpenClaw checks the symlink and the time it performs the write operation, the attacker replaces the symlink with a new symlink pointing outside the intended sandbox root.\u003c/li\u003e\n\u003cli\u003eOpenClaw, due to the TOCTOU race condition, writes to the file location pointed to by the new symlink, which resides outside the sandbox.\u003c/li\u003e\n\u003cli\u003eThis allows the attacker to overwrite or modify arbitrary files on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this capability to gain elevated privileges or compromise sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could allow an attacker to bypass the intended security restrictions of the OpenClaw sandbox. An attacker could potentially overwrite system files, inject malicious code into existing applications, or steal sensitive data. While the exact number of affected installations is unknown, any system running a vulnerable version of OpenClaw is susceptible to this attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to OpenClaw version 2026.4.22 or later to patch the vulnerability (reference: Affected Packages / Versions).\u003c/li\u003e\n\u003cli\u003eMonitor file system events for unexpected modifications outside of the expected OpenClaw sandbox directory. Deploy the Sigma rule \u003ccode\u003eDetect OpenClaw Sandbox Escape via Symlink\u003c/code\u003e to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement stricter file system access controls to limit the potential impact of successful exploitation (reference: Impact).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-openclaw-symlink/","summary":"A time-of-check/time-of-use (TOCTOU) race condition in OpenClaw versions 2026.4.21 and earlier allows a symlink swap to redirect filesystem writes outside the intended sandbox mount root, potentially leading to arbitrary file modification.","title":"OpenClaw Symlink Race Condition Allows Sandbox Escape","url":"https://feed.craftedsignal.io/briefs/2024-01-openclaw-symlink/"}],"language":"en","title":"CraftedSignal Threat Feed — Npm","version":"https://jsonfeed.org/version/1.1"}