> supply chain attack monitor
Tracking software supply chain compromises across package registries, build systems, and update mechanisms. Each incident is logged with affected packages, attack vector, severity, and links to full analysis.
axios 1.14.1, 0.30.4
DPRK-linked UNC1069 compromised the axios maintainer account and published backdoored versions (1.14.1, 0.30.4) deploying the WAVESHAPER.V2 RAT. 100M+ weekly downloads, ~80% cloud environment exposure.
AppArmor (kernel) Ubuntu default AppArmor profiles
CrackArmor research disclosed a chain of AppArmor bypasses enabling container escapes from Docker and Kubernetes pods on default Ubuntu configurations.
aquasecurity/trivy-action, aquasecurity/setup-trivy, trivy binary trivy-action/setup-trivy (pinned by tag, March 19); trivy binary v0.69.4, v0.69.5, v0.69.6
TeamPCP stole a GitHub PAT via misconfigured pull_request_target workflow and force-pushed malicious commits to 76/77 Trivy version tags plus Docker Hub/GHCR/ECR. TeamPCP Cloud Stealer harvested CI/CD secrets, SSH keys, cloud creds, and K8s tokens from any pipeline that ran Trivy that day.
checkmarx/kics-github-action, checkmarx/ast-github-action kics-github-action (all tags via March 23 push); ast-github-action 2.3.28
TeamPCP force-pushed malicious commits to all 35 version tags of checkmarx/kics-github-action and poisoned ast-github-action v2.3.28, continuing the same credential-harvesting campaign as the Trivy compromise.
litellm 1.82.7, 1.82.8 (last clean: 1.82.6)
TeamPCP published two backdoored LiteLLM releases (1.82.7, 1.82.8) on PyPI containing the TeamPCP Cloud Stealer, which exfiltrates SSL/SSH keys, cloud credentials, K8s configs, API keys, and shell history.
telnyx 4.87.1, 4.87.2
TeamPCP published two backdoored Telnyx Python SDK releases (4.87.1, 4.87.2) on PyPI as part of the same credential-harvesting campaign targeting developer tooling.
strapi-plugin-* (36 packages) All (version 3.6.8)
36 malicious npm packages disguised as Strapi CMS plugins deployed Redis exploits, PostgreSQL credential harvesting, and persistent C2 implants targeting production infrastructure via postinstall hooks.
1,700+ packages (debug-logfmt, pino-debug, baraka, libprettylogger, openlss/func-log, others) Various
DPRK-linked Contagious Interview operation published 1,700+ malicious packages across five ecosystems impersonating developer tooling, delivering BeaverTail loader and InvisibleFerret backdoor for credential theft and persistent access.
Smart Slider 3 Pro 3.5.1.35 (Pro only)
Attackers compromised Nextend's update distribution infrastructure and pushed a trojanized Smart Slider 3 Pro 3.5.1.35 build containing a multi-layered RAT with rogue admin creation, remote command execution via HTTP headers, multi-point persistence, and full credential exfiltration to C2 domain wpjs1[.]com. 800K+ active installations affected.
CPU-Z, HWMonitor, HWMonitor Pro, PerfMonitor 2 All CPUID products downloaded April 9 15:00 UTC β April 10 10:00 UTC
Attackers compromised a secondary download-link API on cpuid.com and replaced installers for CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor 2 with trojanized builds. Malicious CRYPTBASE.dll sideloaded via legitimate signed executables deploys STX RAT with in-memory execution, reverse proxy, desktop control, and infostealer capabilities. C2: welcome[.]supp0v3[.]com. 150+ confirmed victims including orgs in retail, manufacturing, telecoms, and agriculture.
Context.ai (Google Workspace OAuth app) Vercel projects with non-sensitive env vars prior to April 19, 2026
A Lumma Stealer infection at a Context.ai employee (Feb 2026) yielded session tokens for Context.ai's Google Workspace OAuth application, giving the attacker delegated access to every tenant that had installed the app. ShinyHunters pivoted through a Vercel employee's Workspace account into internal Vercel environments and read customer environment variables not marked 'sensitive'. 580 Vercel employee records leaked; data listed for sale at $2M on BreachForums. Sensitive-flagged env vars (encrypted at rest) were not accessed.
pgserve, automagik, xinference, kube-health-tools, kube-node-health pgserve 1.1.11β1.1.13; xinference 2.6.0β2.6.2; automagik and Namastex.ai packages (multiple recent versions); kube-health-tools, kube-node-health (all published versions)
CanisterSprawl campaign hijacked pgserve (npm, versions 1.1.11β1.1.13), automagik (Namastex.ai), xinference (PyPI 2.6.0β2.6.2), and typosquatted Kubernetes health tools. 1,143-line postinstall payload harvests npm/PyPI tokens, cloud credentials (AWS/GCP/Azure), GitHub PATs, SSH keys, kubeconfigs, Docker configs, Chrome password store, and MetaMask/Phantom/Solana/Ethereum/Bitcoin/Exodus/Atomic wallet data. If publish tokens are present, re-injects payload into every package the victim can publish and ships new patch versions β worming across ecosystems. Initial access for Namastex.ai packages via malicious PRs with prt-scan-{12hex} branch names triggering secret harvest in CI. Exfil encrypted with RSA-4096 + AES-256 to telemetry.api-monitor.com and an ICP blockchain canister.
@bitwarden/cli @bitwarden/cli 2026.4.0
Attacker pivoted from the ongoing Checkmarx/TeamPCP campaign (suspected via a trojanized Checkmarx KICS Docker image) into Bitwarden's publish-ci.yml GitHub Actions workflow and pushed a trojanized @bitwarden/cli@2026.4.0 to npm. Malicious preinstall hook (bwsetup.js -> bw1.js) harvested GitHub/npm tokens, SSH keys, .env, shell history, cloud creds (AWS/GCP/Azure), AI coding tool tokens, and crypto wallet files (Electrum, MetaMask). Self-propagating 'Shai-Hulud: The Third Coming' worm republishes the payload into any npm packages the stolen token can publish to, and commits encrypted exfil back to the victim's own GitHub repos. AES-256-GCM exfil to audit.checkmarx[.]cx (94.154.172[.]43). 334 installs during the 93-minute window. No end-user vault data accessed.
mbt, @cap-js/db-service, @cap-js/sqlite, @cap-js/postgres mbt 1.2.48; @cap-js/db-service 2.10.1; @cap-js/sqlite 2.2.2; @cap-js/postgres 2.2.2
TeamPCP-linked 'Mini Shai-Hulud' campaign hijacked SAP's release workflow and published malicious versions of four SAP Cloud Application Programming (CAP) packages to npm. Each compromised package added a preinstall hook (setup.mjs) that downloaded the Bun JS runtime from GitHub and ran an obfuscated execution.js stealer harvesting SSH keys, npm/GitHub tokens, AWS/Azure/GCP/K8s credentials, and crypto wallets. On GitHub Actions runners, an embedded Python script reads /proc/<Runner.Worker pid>/maps and /proc/<pid>/mem to scrape isSecret values directly from runner memory, bypassing log masking. Stolen data is AES-256-GCM encrypted and exfiltrated by creating a public repo on the victim's own GitHub account with description 'A Mini Shai-Hulud has Appeared.'
intercom-client intercom-client 7.0.4, 7.0.5
Intercom's official npm SDK pushed two malicious releases (7.0.4, 7.0.5) carrying the same Mini Shai-Hulud Bun-based credential stealer used in the SAP CAP compromise. preinstall hook downloads Bun runtime, executes obfuscated execution.js to harvest dev/CI secrets, and exfiltrates AES-256-GCM-encrypted blobs to attacker-created public repos on the victim's GitHub account.
lightning lightning 2.6.2, 2.6.3
PyTorch Lightning published two malicious releases (2.6.2, 2.6.3) on PyPI carrying the same Mini Shai-Hulud Bun-based stealer (8.3M monthly / 2.1M weekly downloads). Hidden _runtime/ directory auto-executes on 'import lightning': spawns a daemon thread that downloads Bun and runs an 11MB obfuscated router_runtime.js, harvesting SSH/cloud/CI credentials and crypto wallets, AES-256-GCM exfil to attacker-created repos on victim's GitHub account. Socket flagged the malicious versions 18 minutes after publication; PyPI quarantined the packages but a Socket-opened warning issue on the Lightning-AI repo was closed within one minute by a 'pl-ghost' account posting a 'SILENCE DEVELOPER' meme β strong signal the project's GitHub account is itself compromised.
DAEMON Tools Lite (Windows installer) DAEMON Tools Lite 12.5.0.2421 through 12.5.0.2434 (Windows)
Official DAEMON Tools Lite Windows installers, served from the vendor site and signed with the legitimate Disc Soft Authenticode certificate, were trojanized starting April 8, 2026. The implant was injected into the CRT init code of DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe and beaconed to env-check.daemontools[.]cc (registered March 27). Kaspersky telemetry shows thousands of infection attempts across 100+ countries with ~10% on enterprise hosts. A multi-protocol second-stage backdoor (HTTP/HTTP3/UDP/TCP/WSS/QUIC/DNS, injects into notepad.exe and conhost.exe) was deployed only on ~12 hosts in government, scientific, manufacturing, and retail orgs in Russia, Belarus, and Thailand. Chinese-speaking actor suspected. Version 12.6 (released May 5) is clean.
@tanstack/*, @mistralai/mistralai, mistralai (PyPI), @uipath/*, @opensearch-project/*, guardrails-ai (PyPI), @squawk/* 42 @tanstack/* packages (84 versions, incl. @tanstack/react-router); @mistralai/mistralai (npm); mistralai==2.4.6 (PyPI); guardrails-ai==0.10.1 (PyPI); @uipath/* SDKs; @opensearch-project/* JS clients; @squawk/* (2 packages)
TeamPCP's fourth Mini Shai-Hulud wave chained a pull_request_target Pwn Request, GitHub Actions cache poisoning across the fork-base trust boundary, and runtime OIDC token extraction from the Runner.Worker process via /proc/<pid>/mem. The stolen OIDC token published 84 malicious versions across 42 @tanstack/* packages directly through npm's trusted-publisher endpoint, producing the first documented npm worm carrying valid SLSA Build L3 provenance attestations. 373 malicious package-versions across 169 names in total; mistralai PyPI payload included locale-aware destructive branch targeting Hebrew/Farsi environments.
Hundreds of malicious gems (names not yet disclosed) Hundreds of malicious gems (yanked); RubyGems signup endpoint disabled
Unknown attacker uploaded hundreds of malicious gems to RubyGems on May 11-12, 2026, targeting RubyGems' own engineers and staff rather than downstream Ruby developers. Packages contained cross-site scripting payloads aimed at RubyGems moderation surfaces plus exploits intended to harvest data from registry infrastructure. RubyGems (operated by Mend.io) disabled new account registration as containment. No widely-installed gem has been reported backdoored; downstream developer impact is currently low, but the campaign signals attacker interest in compromising registry-side defenders. Distinct from but contemporaneous with the BufferZoneCorp 'knot-*' sleeper-gem credential-theft campaign disclosed May 1.
Nx Console VS Code extension (nrwl.angular-console) Nx Console 18.95.0 (VS Code Marketplace only; Open VSX unaffected; fixed in 18.100.0)
A developer's leaked GitHub credentials were used to push an orphaned, unsigned commit to the official nrwl/nx repo and ship a malicious Nx Console 18.95.0 to the VS Code Marketplace (2.2M+ installs). Opening any workspace fetched a 498 KB obfuscated payload that harvested GitHub, npm, AWS, HashiCorp Vault, Kubernetes, 1Password and Claude Code secrets, exfiltrated over HTTPS / GitHub API / DNS tunneling, and dropped a persistent macOS Python backdoor using the GitHub Search API as a dead drop. Payload bundled full Sigstore/Fulcio and SLSA provenance tooling to forge cryptographically signed npm releases from stolen OIDC tokens. Second Nx-ecosystem compromise within a year after the August 2025 s1ngularity campaign.
actions-cool/issues-helper, actions-cool/maintain-one-comment issues-helper: all 53 tags; maintain-one-comment: 15 tags (both repos now disabled by GitHub)
An attacker with write access to the actions-cool org repointed all 53 release tags of the popular issues-helper GitHub Action β plus 15 tags of maintain-one-comment β to a single imposter commit unreachable from default-branch history. The malicious commit downloads the Bun runtime inside the Actions runner, reads decrypted secrets from Runner.Worker process memory (bypassing log masking), and exfiltrates them over HTTPS to t.m-kosche[.]com. Every tag-referenced consumer pulls the payload on its next run; only full-SHA-pinned workflows are unaffected. GitHub disabled both repos for ToS violation. Exfiltration domain overlaps with the Mini Shai-Hulud @antv npm wave, suggesting a shared actor cluster.
laravel-lang/lang, laravel-lang/attributes, laravel-lang/http-statuses, laravel-lang/actions 233 versions across laravel-lang/lang (12.x-15.x lines), laravel-lang/attributes, laravel-lang/http-statuses, laravel-lang/actions; malicious versions removed and packages unlisted by Packagist
An attacker repointed git tags across four community Laravel-Lang Composer packages to commits in a malicious fork, backdooring 233 historical versions without ever committing to the official repos. Each poisoned version shipped src/helpers.php registered under composer.json autoload.files, so the backdoor executed on every PHP request. A stage-1 dropper fetched a second stage from flipboxstudio[.]info/payload (TLS verification disabled), staged it under <tmp>/.laravel_locale/, and ran it via exec() on Unix or a .vbs/cscript launcher on Windows. The ~5,900-line PHP stealer harvested AWS/GCP/Azure/DigitalOcean cloud keys (incl. EC2 IMDS), kubeconfig and Vault tokens, Jenkins/GitLab/GitHub Actions/ArgoCD CI/CD secrets, SSH keys, .git-credentials, 17 Chromium browsers (dropping DebugChromium.exe to bypass App-Bound Encryption), password managers, crypto wallets, and VPN configs, then exfiltrated AES/XOR-encrypted data to flipboxstudio[.]info/exfil and self-deleted. Detected by Aikido on May 22, 2026; Packagist removed the malicious versions and temporarily unlisted the packages.
5,561 GitHub repositories (incl. @tiledesk/tiledesk-server) 5,561 public GitHub repositories with weak branch protection; payload bundled into .github/workflows files
An automated campaign named Megalodon, attributed to TeamPCP, pushed 5,718 malicious commits to 5,561 distinct GitHub repositories in a six-hour window (May 18, 11:36-17:48 UTC). Using throwaway accounts with random 8-char usernames and four forged author identities (build-bot, auto-ci, ci-bot, pipeline-bot), the attacker injected GitHub Actions workflows carrying base64-encoded bash payloads. Two variants observed: SysDiag (mass) adds a workflow triggered on every push/pull_request; Optimize-Build (targeted) replaces an existing workflow with a workflow_dispatch trigger as a dormant on-demand backdoor. Payloads harvest CI env vars, /proc environ, AWS/GCP/Azure IMDS instance-role credentials, SSH keys, Docker/Kubernetes configs, Vault and Terraform credentials, 30+ secret regex matches, the GitHub Actions OIDC token request URL and token, GITHUB_TOKEN, GitLab CI/CD tokens, and Bitbucket tokens, exfiltrating to C2 216.126.225[.]129:8443. As of May 21 the ingest server logged 575,352 stolen files and 449 GB exfiltrated. Hudson Rock traced initial access to infostealer infections: 33%+ of affected GitHub usernames matched machines in infostealer logs.
34+ packages across npm (21), PyPI (7), Crates.io (6) β incl. eth-security-auditor, dev-env-bootstrapper, sui-move-build-helper 34+ packages, 384+ versions/artifacts across npm, PyPI, Crates.io; reported to registries, some removed and others still live at time of Socket's analysis
A coordinated cross-ecosystem campaign tracked by Socket as TrapDoor seeded 34+ malicious packages across 384+ versions into npm, PyPI, and Crates.io, targeting crypto, DeFi, Solana, and AI developers. Earliest artifact was PyPI eth-security-auditor@0.1.0 (May 22, 2026, 20:20 UTC), with packages published in waves from a cluster of accounts. Each ecosystem uses a distinct execution path: npm postinstall hooks run a shared 1,149-line trap-core.js credential harvester that validates stolen AWS/GitHub tokens, performs SSH-based lateral movement, and uses Fernet/ECDH encryption; Crates.io build.rs scripts (executing during cargo build) XOR-encrypt local keystores with key 'cargo-build-helper-2026' and exfiltrate to GitHub Gists; PyPI packages auto-execute on import and run remote JavaScript via 'node -e'. Stolen data includes SSH keys, Sui/Solana/Aptos wallets, AWS/cloud credentials, GitHub tokens, browser profile data, and environment variables. Notable novel technique: AI-assistant injection β the campaign plants .cursorrules and CLAUDE.md files with hidden zero-width-Unicode instructions to trick AI coding assistants into running a 'security scan' that exfiltrates secrets, and the attacker opened PRs adding these files to langchain, langflow, browser-use, llama_index, MetaGPT, and OpenHands. Shared infrastructure: GitHub account ddjidd564 hosting ddjidd564.github[.]io/defi-security-best-practices/, campaign marker P-2024-001. Unrelated to the HUMAN-reported Android ad-fraud campaign of the same name.
@velora-dex/sdk 9.4.1 (pin to 9.4.0 or earlier and rotate credentials)
Version 9.4.1 of @velora-dex/sdk, the legitimate DeFi SDK for the VeloraDEX exchange, was published directly to npm with three malicious lines injected into dist/index.js while the GitHub repository was left untouched. The code decoded and executed a base64 payload on the first require()/import call, fetched a shell script from C2 at 89.36.224[.]5, dropped an architecture-specific macOS binary (Intel x86_64 and Apple Silicon arm64), and registered it as a persistent service via launchctl. The implant is MiniRAT, a Go-based macOS backdoor supporting command execution, file upload/download, directory exfiltration, and C2 agent registration. In May 2026 Wiz attributed this compromise to JINX-0164, a financially motivated actor that also deploys the AUDIOFIX Python macOS RAT via fake-recruiter social engineering and pivots from developer laptops into code distribution and CI/CD infrastructure. Documented at disclosure by SafeDep and StepSecurity.