Supply-Chain

A remote attacker can exploit a compromised Bitwarden CLI npm package to steal credentials and exfiltrate sensitive information.

Threat actors are compromising npm packages, including those targeting SAP developers, to steal credentials, embed themselves in CI/CD pipelines, and deploy multi-stage payloads using techniques like wormable propagation and covert C2 channels on GitHub.

Compromised PyTorch Lightning packages versions 2.6.2 and 2.6.3 on PyPI contain malicious code to steal developer credentials from cloud and developer environments, and republish infected packages.

The Mini Shai-Hulud campaign injected malicious code into SAP NPM packages, targeting credentials and cloud secrets related to SAP Cloud Application Programming (CAP) and SAP cloud deployment workflows, exfiltrating data through public GitHub repositories.

Multiple official SAP npm packages were compromised via a supply chain attack, likely by TeamPCP, to steal credentials and authentication tokens from developers' systems.

OpenClaw before 2026.3.22 is vulnerable to incomplete host environment variable sanitization, allowing attackers to redirect package resolution or runtime bootstrap to attacker-controlled infrastructure and execute trojanized content.

Gemini CLI is vulnerable to remote code execution via workspace trust and tool allowlisting bypasses, impacting headless mode and GitHub Actions workflows.

The CanisterSprawl malware campaign targets npm packages, using a self-propagating approach to steal sensitive data from developer machines, including tokens and API keys, and attempting to publish malicious packages using hijacked credentials.

Unpatched JetBrains TeamCity servers are being actively exploited via an authentication bypass (CVE-2024-27198) and path traversal vulnerability (CVE-2024-27199), allowing attackers to perform administrative actions and potentially conduct supply-chain attacks.

The Notepad++ updater (gup.exe) creating files in suspicious locations can indicate potential exploitation for malware delivery or unwarranted file placement, potentially leading to credential access and collection.

A vulnerability in the `compressing` npm package (<=v2.1.0) allows for arbitrary file overwrite via symlink path traversal, bypassing a previous patch for CVE-2026-24884.

PraisonAI versions 4.5.139 and below are vulnerable to credential leakage due to the ArtiPACKED attack, where GitHub Actions workflows using actions/checkout without persist-credentials: false write the GITHUB_TOKEN into the .git/config file, leading to potential exposure in uploaded artifacts and subsequent supply chain compromise.

This rule detects Elastic Defend alerts where the alerted process has a package-manager install context in its ancestry (npm, PyPI, Rust), indicating potential supply chain compromise via malicious postinstall scripts.

PraisonAI before version 4.5.128 is vulnerable to supply chain attacks due to treating remotely fetched template files as trusted executable code without proper verification, enabling exploitation via malicious templates.

A threat actor published 36 malicious NPM packages disguised as Strapi plugins in a supply chain attack, designed to execute code, escape containers, harvest credentials, and establish persistent implants on Linux systems targeting Strapi users, with specific focus on the Guardarian cryptocurrency payment gateway.

The Drift Protocol suffered a $280 million crypto theft orchestrated by North Korean hackers who spent six months building an in-person operational presence within the Drift ecosystem, engaging with contributors at crypto conferences and via Telegram.

A supply chain attack on the Axios NPM package injected malicious code into versions v1.14.1 and v0.30.4, leading to the deployment of platform-specific remote access trojans (RATs) after the installation of a rogue dependency that communicated with attacker-controlled infrastructure to retrieve malicious payloads for Windows, MacOS, and Linux.

Multiple supply chain attacks, including the compromise of Axios and Trivy via hijacked GitHub repositories by TeamPCP, demonstrate the increasing threat to open-source software.

Compromised versions of the `axios` npm package introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT), impacting users of `@usebruno/cli` who ran `npm install` between 00:21 UTC and ~03:30 UTC on March 31, 2026, potentially leading to credential exfiltration.

The widely used Axios npm package was compromised via a supply chain attack on March 31, 2026, resulting in the publication of malicious versions through a compromised maintainer account.

The trivy-action GitHub Action was compromised via git tag repointing, where 76 of 77 release tags were retroactively poisoned, leading to a multi-stage credential theft operation discovered following a spike in script execution detections on Linux runners.

The aquasecurity/trivy-action GitHub Action was compromised via git tag repointing, injecting malicious code into the entrypoint.sh script to steal credentials from CI/CD pipelines before executing the legitimate Trivy scanner.

The trivy-action GitHub Action, a widely used vulnerability scanner in CI/CD pipelines, was compromised via git tag repointing to inject a multi-stage credential stealer, affecting 76 of 77 release tags.

A threat actor compromised the PyPI package `telnyx`, uploading malicious versions 4.87.1 and 4.87.2 containing credential-stealing malware that exfiltrates data to a C2 server.

The aquasecurity/trivy-action GitHub Action was compromised via git tag repointing, injecting a multi-stage credential stealer into CI/CD pipelines, allowing for the theft of secrets and credentials.

The trivy-action GitHub Action was compromised via git tag repointing, with attackers poisoning 76 of 77 release tags to inject a multi-stage credential stealer before the legitimate scanner runs, granting attackers access to CI/CD pipeline secrets.

The openclaw npm package before version 2026.3.22 allows unauthorized pre-authentication computation due to improper handling of inbound Nostr DMs, where crypto and dispatch work are performed before enforcing sender and pairing policies.

TeamPCP compromised CI/CD pipelines and GitHub accounts of multiple companies by deploying an infostealer to extract credentials from CI environments, .env files, and cloud tokens, impacting projects like Trivy, KICS, and LiteLLM.

Compromised versions of the LiteLLM package (1.82.7 and 1.82.8) on PyPI contained malware designed to harvest sensitive credentials and files, exfiltrating them to a remote API, impacting users who installed and ran the package.

The LiteLLM package was compromised and infected with credential-stealing code through a supply chain attack leveraging the Trivy vulnerability scanner.

Unauthenticated remote shell injection vulnerability exists in Langflow GitHub Actions workflows prior to version 1.9.0, enabling attackers to execute arbitrary shell commands via malicious branch names or pull request titles due to unsanitized GitHub context variable interpolation, leading to potential secret exfiltration and supply chain compromise.

NICKEL ALLEY, a North Korean threat group, is targeting technology professionals with fake job opportunities and malicious code repositories to deliver malware like PyLangGhost RAT and BeaverTail, aiming to steal cryptocurrency.

The GlassWorm campaign employs Unicode variation selectors to conceal malicious code within supply chain artifacts, subsequently querying a Solana wallet for C2 URLs and exfiltrating sensitive credentials.

Versions 1.82.7 and 1.82.8 of the Litellm package on PyPI were compromised in a supply chain attack, potentially impacting numerous users, with recommendations to avoid updating to these versions.

Crunchyroll suffered a data breach after a Telus employee was phished, leading to Okta credential theft and exfiltration of 100GB of customer data.

TeamPCP conducted a supply chain attack compromising the KICS GitHub Action, impacting users who integrated the compromised version into their CI/CD pipelines.

A supply chain attack targets agent skill marketplaces by exploiting GitHub username hijacking, allowing threat actors to intercept skill downloads from vulnerable repositories, with scanners showing significant disagreement on malicious skill identification and embedded live API credentials discovered.

TeamPCP deployed the CanisterWorm malware on the NPM package registry following a compromise of the Trivy scanning tool.

The widely used Trivy scanner has been compromised in an ongoing supply chain attack, potentially impacting numerous organizations using the tool for vulnerability management.

Attackers hijacked 75 tags associated with the Trivy Security Scanner GitHub Actions to steal CI/CD secrets from users of the compromised tags.

CISA is urging hardening of endpoint management systems following a cyberattack against a US organization, highlighting the potential for significant impact via compromised management infrastructure.

A memory exhaustion vulnerability (CVE-2026-33155) exists in a widely used Python library, affecting services like SageMaker, DataHub, and acryl-datahub due to an incomplete patch for CVE-2025-58367, requiring pinning to version 8.6.2.

A trojanized EmEditor installer was distributed through a trusted source, delivering an infostealer, highlighting how attackers exploit legitimate software distribution channels to bypass user trust and security controls.

The GlassWorm threat involves DLL injection and Chrome hijacking via COM abuse, confirming a full supply chain loop, potentially leading to data theft and system compromise.

A new remote access trojan (RAT) named PylangGhost has been observed on the npm registry, posing a supply chain risk to developers and applications using affected packages.

The Glassworm malware utilizes invisible unicode characters to infect over 150 GitHub repositories, posing a supply chain risk to developers and users.

Detection of suspicious processes spawned by JetBrains TeamCity indicates potential exploitation of remote code execution vulnerabilities, with attackers using command interpreters and system binaries for malicious purposes.

Detection of changes to self-hosted runner configurations in GitHub environments can indicate potential impact, discovery, collection, persistence, privilege escalation, initial access, or stealth activities.

Detection of unusual child processes spawned by SolarWinds processes may indicate malicious program execution, potentially bypassing security controls.

A SolarWinds binary is modifying the start type of a service to be disabled via registry modification, potentially to disable or impair security services.

pyp2spec before 0.14.1 is vulnerable to code injection by writing PyPI package metadata into generated spec files without escaping RPM macro directives, allowing malicious packages to execute arbitrary commands on the build machine.

Adversaries compromising GitHub Actions workflows can execute arbitrary commands on runner hosts, leading to code execution, reconnaissance, credential harvesting, or network exfiltration.