This weekly threat intelligence bulletin covers multiple active ransomware campaigns, four critical vulnerabilities under active exploitation, and emerging AI-driven threats. Notable items include actively exploited RCE flaws in Oracle E-Business Suite and Progress Kemp LoadMaster, a Citrix NetScaler memory disclosure flaw exploited within 24 hours of disclosure, a North Korean supply-chain campaign (PolinRider) deploying 108 malicious packages, and a proof-of-concept browser-native ransomware generated by an LLM abusing Chrome's File System Access API.
A new wave of the Mini Shai-Hulud/Miasma/Hades supply chain attack campaign has compromised 23 npm packages across the LeoPlatform and RStreams ecosystems, plus the Verana Blockchain Go module. The attack uses binding.gyp install-time execution (Phantom Gyp pattern) to trigger multi-stage obfuscated JavaScript loaders that decrypt AES-GCM payloads, stage execution through Bun to evade Node.js security hooks, and steal developer/CI/CD credentials including npm, GitHub, cloud, and AI-agent tokens. The campaign also poisons GitHub Actions workflows and plants persistence hooks in AI coding assistant configurations, creating delayed execution surfaces that survive package remediation.
Malicious Chrome and Firefox browser extensions masquerading as free VPN tools ('VPN Go: Free VPN') were distributed via official extension marketplaces and later updated to include clipboard-stealing functionality. The extensions monitor clipboard contents on a timer, chunk copied text into ~1000-character segments, and exfiltrate data via HTTP GET requests to hardcoded attacker-controlled IP addresses using a /html/continue.php endpoint with uid, part, total, and data query parameters. Both extensions share infrastructure, code patterns, and build artifacts, confirming a common threat actor. The staged update pattern—initial versions functioning as legitimate proxy tools with later versions adding clipboard theft—highlights the risk of extension update supply chain compromise.
The Miasma Mini Shai-Hulud supply chain campaign has expanded to compromise 22 npm package versions under the @immobiliarelabs scope, targeting Backstage plugins for GitLab integration and LDAP authentication. The malicious packages use a binding.gyp 'Phantom Gyp' trick to execute hidden root-level index.js payloads without preinstall/postinstall hooks, followed by AES-128-GCM decryption and multi-stage delivery under the Bun runtime. The final payload exfiltrates developer and CI/CD secrets via the GitHub API to attacker-controlled repositories, and the campaign likely propagated through a compromised codfish/semantic-release-action GitHub Action that enabled access to release automation credentials.
Unit 42 researchers identified 'phantom squatting,' a novel supply chain attack vector where adversaries register web domains that LLMs consistently hallucinate for legitimate brands. By proactively mapping LLM hallucination patterns across 913 brands and 2.1 million generated URLs, researchers identified 13,229 confirmed malicious URLs and ~250,000 unregistered phantom domains. Real-world cases — including the Montana Empire phishing kit built with an AI coding assistant — demonstrate that adversaries independently converge on the same hallucinated domains, with detection lead times of 18–51 days. The threat exploits a structural, unpatchable property of LLM architectures and bypasses reputation-based defenses through zero-reputation newly registered domains.
OpenClaw, a widely adopted AI agent ecosystem with a skill marketplace called ClawHub, is being actively abused by attackers who publish malicious skills containing embedded shell commands or harmful natural-language instructions. Approximately 530 vulnerabilities have been discovered in OpenClaw and its underlying technologies, many involving sensitive data storage and excessive privileges. Kaspersky identified over 600 malicious skills from 24 accounts in April, with 1,100+ malicious accounts created since January. Malicious skills observed include macOS payloads using base64-encoded curl-pipe-to-bash execution and Windows MSI installers distributed via password-protected ZIP archives.
Threat actors are exploiting the OpenClaw AI agent ecosystem by publishing malicious skills on the ClawHub marketplace. These skills leverage semantic instruction hijacking to bypass traditional security controls, delivering macOS infostealers via base64-encoded droppers, utilizing massive file padding for defense evasion, and executing novel agentic financial fraud schemes like runtime affiliate injection and front-running.
Microsoft identified a large-scale npm supply chain attack by North Korean threat actor Sapphire Sleet, compromising over 140 packages in the Mastra ecosystem. The attackers used a compromised maintainer account to inject a malicious typosquat dependency that executes a cross-platform Node.js implant during installation, leading to cryptocurrency wallet theft, host reconnaissance, and persistent backdoor access.
Threat researchers discovered GlassWASM, a WebAssembly-based malware distributed via trojanized extensions on the Open VSX marketplace. The malware uses ChaCha20 encryption to evade static analysis and leverages the Solana blockchain as a resilient C2 dead-drop to retrieve and execute OS-specific second-stage payloads via Node.js.
This threat intelligence report highlights multiple critical vulnerabilities and active exploits, including a zero-day in Oracle PeopleSoft (CVE-2026-35273) exploited by ShinyHunters and an IKEv1 authentication bypass in Check Point VPNs (CVE-2026-50751) linked to Qilin ransomware. Additionally, the report details emerging AI-driven threats, a supply-chain compromise in the Arch User Repository deploying eBPF rootkits, and widespread patching efforts by Microsoft and Veeam.
The Shai-Hulud software supply chain campaign has significantly evolved, expanding from npm to PyPI and shifting from maintainer compromise to CI/CD abuse. Recent waves demonstrate advanced techniques including OIDC token scraping to bypass SLSA provenance, IDE configuration file weaponization, and prompt injection designed to evade LLM-based security scanners.
Between 2024 and 2026, the Vietnam-aligned threat actor OceanLotus (APT32) shifted its focus toward domestic espionage, conducting a supply-chain attack against the FireAnt MetaKit stock investment platform and compromising a major infrastructure corporation. The campaigns leveraged DLL side-loading to deploy the SPECTRALVIPER backdoor, which features advanced orchestration capabilities and exfiltrates encrypted host data via HTTP Cookie headers.
The article introduces Behavioral Integrity Verification (BIV) to audit third-party skills for AI agents by comparing declared metadata against actual executable code and natural-language instructions. Analysis of the OpenClaw registry found that while most deviations are benign documentation errors, a critical 5% of skills contain multi-stage attack chains such as silent credential exfiltration and instruction-override hijacking.
A fast-moving supply chain campaign dubbed Mini Shai-Hulud/Miasma is targeting Python developers via malicious PyPI wheels. The threat actors are utilizing novel execution techniques, including trojanized native extensions and split-loader .pth hooks that search sys.path for payloads, to deploy the Hades stealer and harvest credentials from CI/CD pipelines and developer workstations.
The third wave of the Shai-Hulud supply chain worm, dubbed Miasma, targets the npm ecosystem by utilizing weaponized binding.gyp files to bypass lifecycle script monitoring. It establishes deep persistence within AI assistant and IDE configuration directories, evades detection through dormancy and EDR checks, and abuses valid Sigstore attestations to masquerade as legitimate packages.
This threat intelligence report highlights active exploitation of critical vulnerabilities, including a Windows Netlogon RCE (CVE-2026-41089) and an Android Framework flaw. It also details significant data breaches affecting DentaQuest and the UN WFP, emerging AI-driven threats such as EDR evasion labs, a supply chain compromise of the Hola browser, and Iranian state-sponsored espionage operations utilizing Dutch hosting infrastructure.
A coordinated supply chain attack compromised 19 PyPI packages, utilizing malicious .pth files to achieve execution at Python startup. The loader downloads the Bun runtime to execute an obfuscated JavaScript stealer targeting developer secrets, cloud credentials, and CI/CD tokens, exfiltrating data via GitHub repositories and Actions.
A highly coordinated supply chain attack compromised 56 npm packages across 286 versions by abusing the binding.gyp native build configuration to silently execute malicious code during installation. The multi-stage, heavily encrypted payload targets CI/CD environments to harvest cloud credentials, propagates via stolen OIDC tokens, and establishes persistence with a destructive dead man's switch.
During a routine certification test, Sophos X-Ops discovered an undeclared XMRig-based crypto-miner bundled with Hola Browser version 1.251.91.0. The incident was attributed to a supply chain compromise affecting the browser's distribution pipeline, which has since been remediated by the vendor.
A supply chain attack dubbed 'Mini Shai-Hulud' compromised numerous npm packages, notably within the @redhat-cloud-services namespace. The malicious packages use preinstall hooks to execute an obfuscated loader that decrypts and runs a credential-harvesting payload via the Bun runtime, targeting CI/CD secrets, cloud credentials, and developer tokens for encrypted exfiltration.
Security researchers successfully bypassed multiple AI agent skill scanners, including ClawHub, Cisco's skill-scanner, and skills.sh integrations, using techniques like file truncation, embedded payloads, Python bytecode poisoning, and prompt injection. The findings highlight that automated scanning of AI agent skills is fundamentally flawed due to the complex mix of natural language, code, and limited scanner context windows, necessitating a shift towards curated, trusted skill repositories.
A targeted supply chain attack attributed to Famous Chollima compromised a development branch of the legitimate PHP package 'roberts/leads' on Packagist. The attackers injected an obfuscated JavaScript loader into a tailwind.js configuration file, which utilizes blockchain RPC infrastructure as a dead drop to retrieve and execute secondary payloads like DEV#POPPER RAT, likely as part of a Contagious Interview developer lure.
This report details primary attack vectors against containerized environments, focusing on container escapes, orchestration API abuse, and supply chain compromises. Threat actors exploit misconfigurations such as excessive Linux capabilities and exposed Docker sockets to break out of containers, while also targeting CI/CD pipelines and public image repositories to establish initial footholds.
ESET's Q4 2025–Q1 2026 APT Activity Report highlights global espionage and destructive campaigns by state-aligned actors. Notable incidents include a major supply chain compromise of the 'axios' npm library by Lazarus, destructive wiper attacks on Polish critical infrastructure by Sandworm, and the deployment of new edge-device implants like PhiliKit against Ivanti VPNs by China-aligned groups.
A malicious NuGet package named Sicoob.Sdk impersonated the official C# SDK for the Brazilian financial cooperative Sicoob. The package was designed to silently exfiltrate sensitive banking authentication material, including PFX certificates and passwords, as well as raw transaction data, to a third-party Sentry telemetry endpoint, posing a severe risk of API impersonation and financial data exposure.
CrowdStrike, in collaboration with Google and Shadowserver, successfully dismantled the Glassworm botnet, a highly resilient threat targeting software developers. The threat actors utilized trojanized IDE extensions and malicious package dependencies to deploy GlasswormRAT, leveraging a complex C2 infrastructure spanning the Solana blockchain, BitTorrent DHT, and Google Calendar to maintain persistent access to developer environments.
A supply chain attack dubbed 'megalodon' compromises GitHub Action YAML configurations by injecting base64-encoded malicious scripts to exfiltrate repository data. Analysis of the C2 infrastructure, identified as the NEXUS Listener framework, links this activity to a prior campaign that exploited CVE-2026-41940 in cPanel servers to deploy cryptominers and steal high-value cloud credentials.
This threat intelligence report highlights multiple high-profile breaches, including 7-Eleven and GitHub, alongside the active exploitation of vulnerabilities in Windows Defender, Trend Micro, and Drupal. It also details emerging threats such as the Kali365 phishing kit, AI-driven prompt injection attacks, the Nimbus Manticore IRGC-linked campaign deploying the MiniFast backdoor, and a supply chain attack on Laravel Lang packages.
Software Supply Chain and AI Exploitation Dominate Threat Landscape
The software supply chain has become the primary battlefield for attackers because compromising a single developer tool can cascade into thousands of enterprise networks. Campaigns like Mini Shai-Hulud and TrapDoor are stealing credentials and injecting backdoors across major code registries, while the Laravel Lang Compromise and the Coruna Exploit Kit show how malicious code can automatically execute to steal secrets or exploit end users. As a result, organizations must treat developer environments as high-value targets, because a single compromised package or malicious VS Code extension can lead to catastrophic breaches like the GitHub internal repository theft by TeamPCP.
In parallel, artificial intelligence is simultaneously accelerating attacks and creating dangerous new attack surfaces. Threat actors are using AI to automate influence campaigns like Patriot Bait and crack passwords, while also impersonating AI tools like Gemini CLI and Claude Code to deliver infostealers. Furthermore, attackers are directly targeting exposed AI infrastructure, such as Ollama AI endpoints, and manipulating AI coding assistants via hidden prompt injections in campaigns like TrapDoor, which means AI systems are both the weapon and the target.
These trends together suggest that traditional perimeter defenses are failing against supply chain and AI-driven threats. Managers should immediately enforce strict vetting of open-source packages, restrict developer access to unverified extensions, and ensure AI infrastructure is not exposed to the public internet.
The TrapDoor campaign is a sophisticated supply chain attack targeting crypto, DeFi, and AI developers across npm, PyPI, and Crates.io. The threat actor deployed over 34 malicious packages that utilize ecosystem-specific execution methods to steal credentials, wallets, and SSH keys, while uniquely leveraging AI configuration files like .cursorrules to trick AI assistants into executing exfiltration workflows.
A massive supply chain attack compromised over 700 historical versions of Laravel Lang packages, injecting an RCE backdoor via Composer's autoloader. The backdoor delivers a sophisticated, cross-platform PHP information stealer designed to harvest cloud credentials, CI/CD secrets, browser data, and local configuration files.
A widespread supply chain attack compromised hundreds of GitHub repositories by injecting malicious postinstall scripts into package.json files and GitHub Actions workflows. The payload uses curl to download a remote Linux binary disguised as an SSH daemon, primarily targeting PHP projects that bundle JavaScript build tools to bypass standard Composer dependency reviews.
In response to the ongoing Mini Shai-Hulud supply chain campaign, npm has invalidated all granular access tokens that bypass two-factor authentication. The threat actors have been harvesting credentials from CI/CD environments to automate the publishing of malicious package versions, successfully bypassing existing controls like OIDC Trusted Publishing. To provide a more robust defense, npm has introduced an opt-in Staged Publishing feature that requires interactive MFA approval for automated releases.
Trail of Bits collaborated with the maintainers of zizmor, a GitHub Actions static analyzer, to improve its parsing capabilities and robustness. By testing against a massive corpus of real-world workflows, they identified and fixed multiple YAML anchor handling bugs, deserialization edge cases, and expression evaluator flaws, significantly enhancing zizmor's ability to detect CI/CD misconfigurations.
A supply chain attack compromising the widely-used npm package 'art-template' was discovered delivering the Coruna exploit kit to iOS devices. The injected JavaScript acts as a sophisticated watering hole framework, utilizing extensive anti-bot fingerprinting and WebAssembly memory probes to deliver version-specific WebKit RCE exploits targeting Safari on iOS 11.0 through 17.2.
GitHub experienced an internal security incident where threat actor TeamPCP (UNC6780) compromised an employee's device using a malicious Visual Studio Code extension. The attacker harvested local developer secrets to clone approximately 3,800 internal repositories, which were subsequently listed for sale on a cybercrime forum.
A malicious Visual Studio Code extension installed on a GitHub employee's endpoint provided the threat actor TeamPCP with access to exfiltrate approximately 3,800 internal repositories. The incident underscores the critical risk of IDE extensions serving as initial access vectors for supply-chain attacks, allowing threat actors to leverage developer privileges for large-scale data exfiltration.
A long-running typosquat of a popular Go decimal library was weaponized to include a DNS-based backdoor. The malicious package, github.com/shopsprint/decimal, uses an init() function to poll a dynamic DNS subdomain via TXT records, executing the returned strings as arbitrary commands on the host system.
A large-scale npm supply chain attack compromised hundreds of packages, notably within the @antv ecosystem, using a malware variant known as Mini Shai-Hulud. The malware executes upon installation to harvest sensitive developer and CI/CD secrets, exfiltrating them to a hardcoded C2 server or via a GitHub repository fallback, and leverages stolen npm tokens to propagate itself to other packages.
Recent versions of the popular npm package node-ipc (9.1.6, 9.2.3, 12.0.1) were compromised to include an obfuscated credential stealer. The malware executes upon CommonJS module load, harvests sensitive developer and cloud credentials, and exfiltrates the compressed data via DNS TXT queries to attacker-controlled infrastructure.
Kaspersky's Q1 2026 threat report highlights significant law enforcement actions against major ransomware operators, alongside the emergence of new ransomware groups like The Gentlemen. The quarter also saw active zero-day exploitation of Cisco Secure FMC (CVE-2026-20131) by the Interlock group, a rise in macOS-targeted crypto stealers and supply chain attacks via the Axios npm package, and persistent IoT botnet activity dominated by Mirai variants.
Developer Supply Chains Under Siege as Edge Device Exploits Surge
The dominant narrative this week is the coordinated weaponization of the software supply chain, as threat actors like TeamPCP and Mini Shai-Hulud aggressively target developer tools to steal cloud credentials. Because these attackers compromise trusted build systems like GitHub Actions, a single malicious package—such as the compromised TanStack libraries—can cascade into massive downstream breaches, allowing criminals to hold development environments hostage and even deploy destructive dead-man switches if their access is cut off.
In parallel, attackers are bypassing traditional network defenses by exploiting internet-facing edge devices and logging in with stolen credentials. Threat clusters are actively exploiting critical flaws in Cisco Catalyst SD-WAN and Microsoft Exchange, while ransomware groups like The Gentlemen and state-sponsored actors like Secret Blizzard use these footholds to live off the land, hijacking legitimate IT tools to stay hidden for months.
These trends together suggest that perimeter-focused defenses and basic patching are no longer sufficient. Organizations must immediately isolate their CI/CD pipelines from cloud credentials, enforce phishing-resistant multi-factor authentication on all internet-facing systems, and assume that trusted vendor tools may already be compromised.
The TeamPCP threat actor deployed the Mini Shai-Hulud worm in a sophisticated supply chain attack targeting the npm ecosystem via a GitHub Actions CI cache-poisoning technique. The malware steals credentials, establishes persistence via developer tools like VS Code and Claude Code, and features a destructive dead man switch that wipes the victim's home directory if access tokens are revoked.
The Department of Defense has finalized the Cybersecurity Maturity Model Certification (CMMC) rule, effective November 10, 2025, shifting from self-attestation to mandatory third-party verification for contractors handling sensitive data. Organizations must proactively prepare their technology, processes, and documentation to meet NIST SP 800-171 requirements and avoid anticipated assessment bottlenecks.
The Talos Threat Source newsletter highlights an impending surge in software patching driven by AI vulnerability discovery tools. It also contrasts state-sponsored espionage tactics—which leverage valid credentials and native tools to bypass traditional defenses—with commodity ransomware, while summarizing recent supply chain compromises across developer platforms like Hugging Face and Jenkins.
TeamPCP has partnered with BreachForums to launch a supply chain attack contest, incentivizing threat actors to compromise open-source packages using the open-sourced Shai-Hulud worm. The campaign targets CI/CD pipelines and developer environments to harvest credentials, posing a significant risk of downstream enterprise compromises.
The GemStuffer campaign leverages the RubyGems package registry as an unconventional data exfiltration channel. Threat actors deploy Ruby scripts that scrape UK local government portals, package the harvested data into valid .gem archives, and push them to RubyGems using hardcoded API keys. The malware demonstrates defense evasion by overriding the HOME environment variable to a /tmp directory to isolate its credential environment, or by bypassing the gem CLI entirely to perform direct API POST requests.
TeamPCP (SHADOW-WATER-058) executed a sophisticated supply chain campaign compromising developer toolchains across multiple ecosystems, including Docker Hub, PyPI, and GitHub Actions. The attacks leveraged CI/CD trust, such as unsanitized PR comments and stolen publisher tokens, to distribute credential-harvesting payloads via Python .pth files and the Bun runtime, targeting over 80 credential types and abusing live AWS APIs.
A maintainer access dispute in the widely used fsnotify Go library sparked supply chain security concerns, though no malicious code was introduced. The incident underscores the risks of ambiguous open-source governance and the heightened downstream sensitivity to sudden maintainer changes following recent supply chain attacks like the xz-utils backdoor.
A sophisticated threat actor compromised a third-party IT services provider to abuse legitimate HPE Operations Agent infrastructure, enabling stealthy execution and discovery. The attackers established persistence and harvested credentials using malicious network provider and password filter DLLs on domain controllers, while utilizing web shells and ngrok tunnels to maintain long-term, undetected access.