Tag
Lazarus Group's Brandjacking Campaign on npm Delivers Persistent Node.js Backdoor
3 rules 5 TTPs 1 IOCThe Lazarus Group is conducting a brandjacking campaign on npm, using dozens of malicious packages like 'buffer-utilities' to deploy a Node.js backdoor that collects host information, establishes C2 communication, and maintains persistent attacker-controlled code execution, primarily targeting developers.
Atomic Arch Campaign Leverages Orphaned AUR Packages for Linux Payload Deployment
3 rules 14 TTPs 6 IOCsThe Atomic Arch campaign compromises orphaned Arch User Repository (AUR) packages, modifying their PKGBUILDs to install malicious npm/Bun dependencies like 'atomic-lockfile,' which deploy a Linux payload with credential harvesting, eBPF-based stealth, anti-debugging, and data exfiltration capabilities, impacting approximately 1,500 packages.
Laravel Lang Packages Hijacked in Credential-Stealing Supply Chain Attack
2 rules 4 TTPs 1 IOCAttackers compromised Laravel Lang packages by rewriting GitHub tags, distributing a credential-stealing malware targeting cloud credentials, secrets, keys, browser data, and cryptocurrency wallets across Windows, Linux, and macOS systems.
Compromised node-ipc npm Package Steals Credentials
2 rules 3 TTPs 2 IOCsHackers injected credential-stealing malware into newly published versions of the node-ipc npm package in a supply chain attack, collecting cloud credentials, SSH keys, CI/CD secrets, and other sensitive data, exfiltrating it through DNS TXT queries.
Shai-Hulud Malware Used in Supply Chain Attack via Compromised npm Packages
3 rules 7 TTPs 3 IOCsThe Shai-Hulud malware was used in a large-scale software supply-chain attack compromising hundreds of packages across open-source software ecosystems by compromising developer secrets and CI/CD pipelines.
ScarCruft Compromises Gaming Platform in Supply-Chain Attack
2 rules 4 TTPs 4 IOCsThe ScarCruft APT group conducted a supply-chain attack targeting the Yanbian region by compromising a gaming platform, sqgame, used by ethnic Koreans, trojanizing Windows and Android games with the BirdCall backdoor for espionage activities since late 2024.
Axios npm Package Compromised via Social Engineering
2 rules 7 TTPsNorth Korean threat actors (UNC1069) compromised the Axios npm package by socially engineering a maintainer with a fake Microsoft Teams update delivering a RAT, leading to the injection of a malicious dependency and a supply chain attack.
TrueConf Zero-Day Exploitation Leading to Arbitrary Code Execution
2 rules 3 TTPs 1 CVE 4 IOCsHackers exploited a zero-day vulnerability (CVE-2026-3502) in TrueConf conference servers to execute arbitrary files on connected endpoints, potentially deploying the Havoc C2 framework.
TeamPCP Backdoors Telnyx PyPI Package with Steganographic Malware
2 rules 5 TTPsThe TeamPCP threat actor compromised the Telnyx PyPI package, injecting credential-stealing malware hidden within WAV audio files to target Linux, macOS, and Windows systems.