The Miasma Mini Shai-Hulud supply chain campaign has expanded to compromise 22 npm package versions under the @immobiliarelabs scope, targeting Backstage plugins for GitLab integration and LDAP authentication. The malicious packages use a binding.gyp 'Phantom Gyp' trick to execute hidden root-level index.js payloads without preinstall/postinstall hooks, followed by AES-128-GCM decryption and multi-stage delivery under the Bun runtime. The final payload exfiltrates developer and CI/CD secrets via the GitHub API to attacker-controlled repositories, and the campaign likely propagated through a compromised codfish/semantic-release-action GitHub Action that enabled access to release automation credentials.
AI Attacked and Abused While Perimeter Authentication Collapses
The month's defining shift was the emergence of AI as a two-sided battlefield: organizations deployed AI tools faster than they secured them, while attackers weaponized the same technology against defenders. Critical flaws in LangGraph allowed SQL injection chained to remote code execution, M365 Copilot could be turned into a one-click data exfiltration weapon via SearchLeak, and Langflow was exploited to deploy cryptominers. Meanwhile, the ongoing Shai-Hulud campaign injected prompts to blind AI malware scanners, macOS.Gaslight turned prompt injection against human analysts, and Russia's APT28 began experimenting with LLM-integrated malware. At the same time, perimeter authentication collapsed at scale: FortiBleed exposed credentials for over 73,000 FortiGate firewalls, CVE-2026-50751 let attackers bypass Check Point VPN authentication entirely, and ShinyHunters exploited an Oracle PeopleSoft zero-day across over 100 organizations.
Supply chain attackers followed developers to their new AI tools, compromising the ecosystems where code is written and built. The Shai-Hulud/Miasma worm expanded from npm into PyPI and injected persistent backdoors into AI coding assistant configurations, while North Korea's Sapphire Sleet compromised over 140 Mastra npm packages to steal cryptocurrency wallets, and the ongoing GlassWorm campaign pivoted to WebAssembly malware in VS Code extensions using the Solana blockchain as command-and-control. Social engineering also industrialized: the ErrTraffic framework turned ClickFix deception into a Malware-as-a-Service operation with blockchain dead drops, and EvilTokens hid phishing flows inside browser-side encryption to defeat network scanners while hijacking Microsoft device-code authentication.
Organizations should treat AI deployments as untrusted perimeter assets—restrict their network access, audit third-party skills and extensions, and assume prompt-injection attacks will target both automated scanners and human analysts. Every internet-facing VPN, firewall, and edge appliance should be patched immediately, with credentials rotated and phishing-resistant MFA enforced, because perimeter authentication failures now cascade directly into internal network compromise.
The Canadian Centre for Cyber Security issued an advisory regarding critical vulnerabilities across multiple Broadcom VMware Tanzu products, including RabbitMQ, Greenplum, and GemFire. Organizations are advised to review the Broadcom security advisories and apply the patched versions to mitigate potential exploitation risks.
The third wave of the Shai-Hulud supply chain worm, dubbed Miasma, targets the npm ecosystem by utilizing weaponized binding.gyp files to bypass lifecycle script monitoring. It establishes deep persistence within AI assistant and IDE configuration directories, evades detection through dormancy and EDR checks, and abuses valid Sigstore attestations to masquerade as legitimate packages.
A coordinated supply chain attack compromised 19 PyPI packages, utilizing malicious .pth files to achieve execution at Python startup. The loader downloads the Bun runtime to execute an obfuscated JavaScript stealer targeting developer secrets, cloud credentials, and CI/CD tokens, exfiltrating data via GitHub repositories and Actions.
A highly coordinated supply chain attack compromised 56 npm packages across 286 versions by abusing the binding.gyp native build configuration to silently execute malicious code during installation. The multi-stage, heavily encrypted payload targets CI/CD environments to harvest cloud credentials, propagates via stolen OIDC tokens, and establishes persistence with a destructive dead man's switch.
A supply chain attack dubbed 'Mini Shai-Hulud' compromised numerous npm packages, notably within the @redhat-cloud-services namespace. The malicious packages use preinstall hooks to execute an obfuscated loader that decrypts and runs a credential-harvesting payload via the Bun runtime, targeting CI/CD secrets, cloud credentials, and developer tokens for encrypted exfiltration.
This report details primary attack vectors against containerized environments, focusing on container escapes, orchestration API abuse, and supply chain compromises. Threat actors exploit misconfigurations such as excessive Linux capabilities and exposed Docker sockets to break out of containers, while also targeting CI/CD pipelines and public image repositories to establish initial footholds.
A massive supply chain attack compromised over 700 historical versions of Laravel Lang packages, injecting an RCE backdoor via Composer's autoloader. The backdoor delivers a sophisticated, cross-platform PHP information stealer designed to harvest cloud credentials, CI/CD secrets, browser data, and local configuration files.
The TeamPCP threat actor deployed the Mini Shai-Hulud worm in a sophisticated supply chain attack targeting the npm ecosystem via a GitHub Actions CI cache-poisoning technique. The malware steals credentials, establishes persistence via developer tools like VS Code and Claude Code, and features a destructive dead man switch that wipes the victim's home directory if access tokens are revoked.
SentinelLABS discovered PCPJack, a cloud-focused worm designed to harvest credentials at scale while actively evicting artifacts of a rival threat actor, TeamPCP. The framework targets exposed cloud services like Docker, Kubernetes, and Redis for propagation and lateral movement, notably omitting cryptomining payloads in favor of credential theft and Sliver C2 deployment.
TeamPCP (SHADOW-WATER-058) executed a sophisticated supply chain campaign compromising developer toolchains across multiple ecosystems, including Docker Hub, PyPI, and GitHub Actions. The attacks leveraged CI/CD trust, such as unsanitized PR comments and stolen publisher tokens, to distribute credential-harvesting payloads via Python .pth files and the Bun runtime, targeting over 80 credential types and abusing live AWS APIs.
A sophisticated supply-chain worm dubbed 'Mini Shai-Hulud' has compromised numerous high-profile npm and PyPI packages, including TanStack and Mistral AI. The heavily obfuscated payload targets CI/CD environments to systematically harvest credentials from GitHub, AWS, Vault, and Kubernetes. It autonomously propagates by minting npm publish tokens and committing malicious code to repositories, while exfiltrating stolen secrets via the Session P2P network.
Quasar Linux (QLNX) is an advanced, previously undocumented Linux Remote Access Trojan (RAT) designed to compromise developer workstations and facilitate supply chain attacks. It employs sophisticated evasion techniques, including fileless execution, process name spoofing, and dynamically compiled LD_PRELOAD and eBPF rootkits, alongside a PAM backdoor to harvest critical cloud and repository credentials.
A software supply chain campaign attributed to the GitHub account 'BufferZoneCorp' published malicious Ruby gems and Go modules designed to steal developer secrets and compromise CI/CD environments. The packages impersonate legitimate developer tools to execute install-time and runtime payloads that harvest credentials, tamper with GitHub Actions workflows, manipulate Go dependency resolution, and establish SSH persistence.
The Mini Shai-Hulud supply chain attack campaign has expanded into the PHP ecosystem by compromising the widely used intercom/intercom-php package on Packagist. The malicious artifact abuses Composer plugin execution to download the Bun runtime and execute an obfuscated JavaScript payload designed to harvest and exfiltrate sensitive credentials from developer environments and CI/CD pipelines.
The official intercom-client npm package (version 7.0.4) was compromised in a supply chain attack attributed to the Mini Shai-Hulud campaign and linked to the TeamPCP threat actor. The malicious package executes during installation via a preinstall hook to harvest cloud, Kubernetes, and Vault credentials from developer and CI/CD environments, exfiltrating them via the GitHub API.
A suspected TeamPCP-linked supply chain attack compromised multiple SAP CAP and Cloud MTA npm packages by injecting malicious preinstall scripts. The attack leverages a downloaded Bun runtime to execute an obfuscated payload that harvests extensive credentials from developer machines and CI/CD pipelines, exfiltrating data via attacker-controlled GitHub repositories and establishing persistence through VSCode and Claude AI configurations.
CVE-2026-31431, dubbed 'Copy Fail', is a CVSS 7.8 local privilege escalation vulnerability in the Linux kernel's algifaead module affecting kernels built since 2017. By chaining an AFALG socket operation with splice(), an unprivileged local user can overwrite page-cache-backed pages, such as setuid binaries, to obtain root privileges. With a public PoC available and vendor patches pending, immediate mitigation via module disabling or seccomp filtering is critical.
A supply chain attack targeting npm packages associated with Namastex.ai has been discovered, utilizing CanisterWorm-style malware. The malicious packages execute upon installation to harvest developer credentials, cloud secrets, and cryptocurrency wallets, exfiltrating data to an ICP canister and webhooks while attempting to self-propagate across the npm and PyPI ecosystems.
Threat actors are increasingly targeting Kubernetes environments by exploiting vulnerabilities like React2Shell and misconfigurations to steal service account tokens. These stolen identities are then used to escalate privileges and move laterally into backend cloud infrastructure, leading to severe impacts such as cryptocurrency theft.
A sophisticated supply chain attack by the threat actor TeamPCP compromised the popular AI proxy package LiteLLM via a previously hijacked Trivy GitHub Action. The malicious package deployed a multi-stage payload utilizing a Python .pth file to harvest extensive cloud, Kubernetes, and AI credentials, encrypt them, and exfiltrate them to attacker-controlled infrastructure while establishing a persistent remote code execution backdoor.
A sophisticated supply chain attack compromised the official Trivy GitHub Action (aquasecurity/trivy-action) by force-pushing 75 version tags to malicious commits. The injected infostealer harvests sensitive CI/CD secrets from runner memory and filesystems, exfiltrating them to a typosquat domain or a fallback GitHub repository.
The TeamPCP threat actor targets cloud-native and containerized environments to deploy cryptominers and ransomware. The attack chain involves initial access via web server exploitation, in-memory payload execution, Kubernetes API abuse for lateral movement, and node-level escape using privileged DaemonSets.
Elastic has introduced Defend for Containers (D4C) in version 9.3.0, providing runtime visibility and detection capabilities for Linux container workloads in Kubernetes environments. The integration captures process and file activity enriched with orchestration metadata, enabling detection engineers to build robust, behavior-based security policies.
The proliferation of autonomous AI agents like OpenClaw has introduced severe security risks, including unauthorized data access and silent exfiltration via prompt injection and malicious plug-ins. To mitigate these threats, organizations must transition from local agent deployments to hardened, isolated cloud environments utilizing defense-in-depth strategies such as kernel-level eBPF monitoring and runtime prompt interception.
This comprehensive guide outlines proactive hardening strategies to defend against destructive cyberattacks, such as ransomware and wipers. It provides actionable recommendations for securing external-facing assets, segmenting IT/OT and virtualization infrastructure, restricting lateral movement, and protecting privileged credentials across on-premises and cloud environments.
AI Rush Opens New Attack Paths as Trusted Cloud Services Fuel Phishing
The rush to adopt artificial intelligence is giving attackers two new advantages: convincing lures to trick users and poorly secured infrastructure to exploit. This week, multiple campaigns used fake websites for the Claude AI assistant to infect victims with password-stealing malware, while researchers revealed that commercial robots and AI connection protocols contain critical flaws that let hackers hijack them. Because organizations are deploying AI tools faster than they can secure them, attackers are finding easy entry points into corporate networks.
In parallel, phishing campaigns are increasingly hijacking trusted cloud services like Amazon's email platform and Vercel's AI-powered website builder to send messages that bypass security filters entirely. A massive campaign targeting US employees used fake HR reviews to steal login sessions even when multi-factor authentication was enabled, and the breach of the Canvas learning platform exposed data on 275 million people that can now be used for highly convincing follow-up scams. These trends together suggest that traditional defenses are losing effectiveness because attackers are hiding inside the systems we already trust.
Organizations should immediately patch the actively exploited Palo Alto Networks and Ivanti vulnerabilities flagged by CISA this week, require phishing-resistant authentication methods, and treat every AI tool and robot connected to their network as a high-risk device that needs strict monitoring.