More than 30 npm packages under Red Hat’s ‘@redhat-cloud-services’ namespace were compromised in a supply-chain attack that distributed a new variant of the Shai-Hulud credential-stealing malware, dubbed “Miasma.” […]
Tag: supplychain
AI, Global Security News, Network Security
Glassworm botnet disrupted after resilient C2 infrastructure takedown
The Glassworm botnet targeting developers in software supply-chain attacks has been disrupted after researchers took down its resilient command-and-control infrastructure relying on Solana blockchain transactions and the BitTorrent DHT network. […]
AI, Global Security News, malware
Shai Hulud attack ships signed malicious TanStack, Mistral npm packages
A large-scale software supply-chain attack involving the “Shai-Hulud” malware has compromised hundreds of packages across open-source software ecosystems. […]
AI, Apps, Cybersecurity, Global Security News, malware, Network Security, Risk Management
Supply-chain attacks take aim at your AI coding agents
Attackers too are looking to cash in on the AI coding craze, adapting their supply-chain techniques to target coding agents themselves. Many AI agents autonomously scan package registries such as NPM and PyPI for components to integrate into their coding projects, and attackers are beginning to take advantage of this. Bait packages with persuasive descriptions…
AI, Global Security News, Risk Management
Top AI Companies Agree to Pentagon Deals for Classified Work
The contracts give the Defense Department more AI options after it declared Anthropic a supply-chain risk.
AI, Global Security News
Official SAP npm packages compromised to steal credentials
Multiple official SAP npm packages were compromised in what is believed to be a TeamPCP supply-chain attack to steal credentials and authentication tokens from developers’ systems. […]
AI, Compliance, Global Security News, Government & Policy, Risk Management
US court refuses to stay Pentagon’s ‘supply-chain risk’ blacklisting of Anthropic
A federal appeals court in Washington has refused to suspend the Pentagon’s supply-chain risk designation against Anthropic, leaving defense contractors with conflicting legal signals over whether they can continue using Claude, and putting the ruling at odds with a separate federal court that reached the opposite conclusion last month. “The equitable balance here cuts in…
AI, Global Security News
Popular LiteLLM PyPI package compromised in TeamPCP supply chain attack
The TeamPCP hacking group continues its supply-chain rampage, now compromising the massively popular “LiteLLM” Python package on PyPI and claiming to have stolen data from hundreds of thousands of devices during the attack. […]
AI, Data Breaches, Exploits, Global Security News, Risk Management
Experts warn of a ‘loud and aggressive’ extortion wave following Trivy hack
SAN FRANCISCO — Mandiant is responding to a major, ongoing supply-chain attack involving the compromise of Trivy, a widely used open-source tool from Aqua Security that’s designed to find vulnerabilities and misconfigurations in code repositories. The fallout from the attack spree, which was first detected March 19, is extensive and poses substantial risk for follow-on…
AI, Global Security News
Trivy supply-chain attack spreads to Docker, GitHub repos
The TeamPCP hackers behind the Trivy supply-chain attack continued to target Aqua Security, pushing malicious Docker images and hijacking the company’s GitHub organization to tamper with dozens of repositories. […]
AI, Global Security News, malware
Trivy vulnerability scanner breach pushed infostealer via GitHub Actions
The Trivy vulnerability scanner was compromised in a supply-chain attack by threat actors known as TeamPCP, which distributed credential-stealing malware through official releases and GitHub Actions. […]
AI, Global Security News
GlassWorm malware hits 400+ code repos on GitHub, npm, VSCode, OpenVSX
The GlassWorm supply-chain campaign has returned with a new, coordinated attack that targeted hundreds of packages, repositories, and extensions on GitHub, npm, and VSCode/OpenVSX extensions. […]
AI, Global Security News
AppsFlyer Web SDK used to spread crypto stealer JavaScript code
Malicious JavaScript code delivered by the AppsFlyer Web SDK hijacked cryptocurrency, potentially in a supply-chain attack. […]
AI, Global Security News, malware, Network Security
PhantomRaven returns to npm with 88 bad packages
Last year’s “PhantomRaven” supply-chain campaign is back, with security researchers uncovering 88 new malicious packages in what they describe as the second, third, and fourth waves of the operation. According to Endor Labs findings, the newly discovered packages were published between November 2025 and February 2026, with 81 of them still available on npm along…
AI, Global Security News
New PhantomRaven NPM attack wave steals dev data via 88 packages
New attack waves from the ‘PhantomRaven’ supply-chain campaign are hitting the npm registry, with dozens of malicious packages that exfiltrate sensitive data from JavaScript developers. […]
AI, Global Security News
Apple Uses Low Prices to Attack Rivals During Memory-Chip Crunch
Leveraging its supply-chain might, the iPhone giant is making a play for more share in cheaper phone and laptop categories.