Tag: supply-chain
-
Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages
TeamPCP, the threat actor behind the recent supply chain attack spree, has been linked to the compromise of the npm and PyPI packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI as part of a fresh Mini Shai-Hulud campaign.The affected npm packages have been modified to include an obfuscated JavaScript file (“router_init.js”) that’s designed…
-
84 npm Packages Linked to TanStack Hit by Supply-Chain Breach
A massive supply chain breach affecting 84 npm packages within the widely used TanStack ecosystem. Malicious actors compromised these packages by injecting a sophisticated credential-stealing tool designed to target continuous integration environments such as GitHub Actions. Packages such as React Router, which sees over 12 million weekly downloads, were modified, posing a severe threat to…
-
Checkmarx Jenkins AST Plugin Compromised in KICS Supply Chain Attack
Supply chain campaign has now extended to Checkmarx’s Jenkins ecosystem, with attackers pushing a malicious Checkmarx Jenkins AST plugin to the official Jenkins Marketplace as part of the ongoing KICS/Trivy-linked compromise. The rogue release is identified as version 2026.5.09 and includes tampered plugin artifacts, while the last known-good Jenkins AST plugin build remains 2.0.13-829.vc72453fa_1c16, released…
-
Google Says Hackers Used AI to Develop a Zero-Day Exploit
Google researchers say hackers used AI to develop zero-day exploits, Android backdoors, and automated supply chain attacks targeting GitHub and PyPI. First seen on hackread.com Jump to article: hackread.com/google-hackers-used-ai-develop-zero-day-exploit/
-
AI Is Reshaping Software Supply Chain Risk
AI-assisted development is expanding software supply chain risks faster than security controls can keep pace. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/ai-is-reshaping-software-supply-chain-risk/
-
TeamPCP Compromises Checkmarx Jenkins AST Plugin Weeks After KICS Supply Chain Attack
Checkmarx has confirmed that a modified version of the Jenkins AST plugin was published to the Jenkins Marketplace.”If you are using Checkmarx Jenkins AST plugin, you need to ensure that you are using the version 2.0.13-829.vc72453fa_1c16 that was published on December 17, 2025 or previously,” the cybersecurity company said in a statement over the weekend.As…
-
Google warns artificial intelligence is accelerating cyberattacks and zero-day exploits
Tags: access, ai, attack, cloud, cyber, cyberattack, defense, exploit, google, hacker, intelligence, supply-chain, threat, vulnerability, zero-dayGoogle says hackers now use AI to create exploits, automate attacks, evade defenses, and target AI supply chains at scale. Artificial intelligence is rapidly changing the cyber threat landscape, and a new report from the Google Cloud Threat Intelligence team highlights how attackers already use AI to improve vulnerability exploitation and gain initial access to…
-
Malicious Hugging Face model masquerading as OpenAI release hits 244K downloads
Part of a broader AI supply chain targeting: HiddenLayer, in its advisory, said that it identified six additional Hugging Face repositories uploaded under a separate account that used nearly identical loader logic and shared infrastructure with the campaign.The researchers also linked elements of the operation to earlier software supply-chain attacks involving npm typosquatting campaigns and…
-
1,800+ MCP servers exposed without authentication: How zero trust can secure the AI agent revolution
Tags: ai, attack, authentication, breach, cloud, control, credentials, data, data-breach, defense, exploit, framework, governance, identity, infrastructure, Internet, LLM, malicious, monitoring, network, risk, service, supply-chain, threat, tool, vulnerability, zero-trustThe epistemological chasm: What renders MCP vulnerabilities particularly vexatious is the fundamental asymmetry they exploit between machine cognition and human oversight.Tool poisoning attacks insert malevolent instructions into tool metadata that LLMs process with complete fidelity but that remain utterly invisible to human operators. The machine perceives everything; its ostensible supervisors perceive nothing. We have unwittingly…
-
Official JDownloader site served malware to Windows and Linux users between May 6 and May 7
JDownloader website was hacked to distribute malicious Windows and Linux installers carrying a Python RAT between May 67, 2026. JDownloader official website was compromised in a supply chain attack that replaced legitimate Windows and Linux installers with malicious files between May 6 and May 7, 2026. JDownloader is a free, open-source download management application designed…
-
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 96
Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape Malware Newsletter CloudZ RAT potentially steals OTP messages using Pheno plugin Backdoored PyTorch Lightning package drops credential stealer A rigged game: ScarCruft compromises gaming platform in a supply-chain attack Muddying the Tracks: The State-Sponsored Shadow Behind…
-
fsnotify Maintainer Access Change Sparks Supply Chain Security Concerns
A dispute over maintainer access in the widely used Go library fsnotify has triggered temporary supply chain concerns after contributors were removed from the project’s GitHub organization and recent releases came under scrutiny. While no evidence suggests that any version of fsnotify has been compromised, the incident highlights how governance ambiguity in critical open source projects can…
-
Cybersicherheit endet nicht an der Unternehmensgrenze – Die Lieferkette wird zum trojanischen Pferd der Cybersicherheit
First seen on security-insider.de Jump to article: www.security-insider.de/lieferkette-trojanisches-pferd-cybersicherheit-supply-chain-a-8ced81ab9d824c049dd96224396b0ea2/
-
The British public need to be better prepared for emergencies | Letter
Tags: attack, china, cyber, data-breach, disinformation, iran, resilience, russia, supply-chain, threat, warfare<strong>Jean Coussins</strong> says a cross-party Lords committee has been tasked with coming up with a plan to normalise resilience in our everyday livesYour editorial (<a href=”https://www.theguardian.com/commentisfree/2026/may/01/the-guardian-view-on-britains-fragile-systems-when-global-shocks-hit-your-shopping-bill”>Britain’s fragile systems: when global shocks hit your shopping bill, 1 May) makes clear that the public need to be more fully informed about global threats and actively engaged in…
-
Was deutsche Unternehmen und Behörden aus dem Daemon-Tools-Supply-Chain-Angriff mitnehmen sollten
Ein monatelanger Lieferketten-Angriff auf Daemon-Tools, ein weit verbreitetes Disk-Imaging-Tool, verdeutlicht: Kompromittierungen sind nach wie vor sehr schwer aufzudecken. Der von Kaspersky aufgedeckte Angriff lief ab dem 8. April und infizierte heimlich, still und leise Systeme in über 100 Ländern. Dabei wurden zunächst Systemdaten gesammelt, bevor anschließend bei ausgewählten Opfern in Handel, Verwaltung, Industrie und Forschung…
-
Supply-Chain-Angriff auf DAEMON Tools zeigt Schwächen bei der Angriffserkennung in Unternehmen und Behörden
Wer Threat Intelligence weiterhin nur als Reporting- oder Compliance-Thema betrachtet, unterschätzt die operative Bedeutung moderner Cyberabwehr. First seen on infopoint-security.de Jump to article: www.infopoint-security.de/supply-chain-angriff-auf-daemon-tools-zeigt-schwaechen-bei-der-angriffserkennung-in-unternehmen-und-behoerden/a45042/
-
Google Fixes CVSS 10 Gemini CLI Vulnerability Enabling GitHub Issue-Based RCE
Tags: cvss, github, google, hacker, injection, rce, remote-code-execution, supply-chain, vulnerabilityGoogle patches a CVSS 10 Gemini CLI vulnerability that allowed hackers to use prompt injection and privilege escalation for a full supply chain compromise. First seen on hackread.com Jump to article: hackread.com/google-cvss-10-gemini-cli-vulnerability-github-rce/
-
ShinyHunters’ Instructure Canvas LMS and Vimeo Breaches Impact Millions of Users
ShinyHunters breached Instructure and Vimeo, exposing millions of student and user records through direct and supply chain attacks. First seen on hackread.com Jump to article: hackread.com/shinyhunters-instructure-canvas-lms-vimeo-data-breach/
-
DAEMON Tools devs confirm breach, release malware-free version
Disc Soft Limited, the maker of DAEMON Tools Lite, confirmed that the software had been trojanized in a supply chain attack and released a new, malware-free version. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/daemon-tools-devs-confirm-breach-release-malware-free-version/
-
Hackers compromise Daemon Tools in global supply-chain attack, researchers say
Researchers at Kaspersky said attackers tampered with installers for Daemon Tools, a popular program used to mount disk images as virtual drives, and distributed them through the software’s official website. First seen on therecord.media Jump to article: therecord.media/hackers-compromise-daemon-tools-global-supply-chain-attack
-
Attackers compromised Daemon Tools software to deliver backdoors
Kaspersky researchers uncovered another supply chain compromise involving a popular Windows tool: Daemon Tools, an app for mounting disk image files as virtual drives that is … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/05/06/daemon-tools-compromised-backdoors-supply-chain-attack/
-
TeamPCP spielt falsches Spiel mit <> Bitwarden-Tool
Sicherheitsforscher von JFrog haben einen ausgeklügelten Supply-Chain-Angriff im npm-Ökosystem aufgedeckt. Ein manipuliertes Bitwarden-CLI-Paket tarnt sich als legitimes Entwickler-Tool und schleust Schadcode direkt beim Installationsprozess ein. First seen on it-daily.net Jump to article: www.it-daily.net/it-sicherheit/cybercrime/teampcp-bitwarden-tool
-
Google’s Android Apps Get Public Verification to Stop Supply Chain Attacks
Google has announced expanded Binary Transparency for Android as a way to safeguard the ecosystem from supply chain attacks.”This new public ledger ensures the Google apps on your device are exactly what we intended to build and distribute,” Google’s product and security teams said.The initiative builds upon the foundation of Pixel Binary Transparency, which Google…
-
Poisoned truth: The quiet security threat inside enterprise AI
It takes surprisingly little poison to corrupt: Bad internal data is the immediate problem. But the external supply chain may be even harder to control.Research by Anthropic, the UK AI Security Institute, and the Alan Turing Institute discovered that as few as 250 maliciously crafted documents can poison LLMs of any size.That creates a massive…
-
Malicious PyTorch Lightning update hits AI supply chain security
A malicious PyTorch Lightning update (v2.6.3) on PyPI spread briefly, stealing credentials and raising major concerns about AI supply chain security. A malicious update of the PyTorch Lightning library exposed developers to credential theft and remote compromise. Attackers uploaded version 2.6.3 to the Python Package Index (PyPI), where it spread among developers before maintainers removed…
-
QLNX Targets Developers in Supply Chain Credential Theft Campaign
QLNX is a newly documented Linux remote access trojan (RAT) that targets the theft on developers’ and DevOps credentials to hijack software supply chains. Recent attacks against popular projects like LiteLLM on PyPI and the Axios npm package have shown how a single compromised maintainer account can be used to push backdoored releases to millions…
-
Bitwarden-CLI kompromittiert: JFrog warnt vor TeamPCP-Angriff über npm-Paket
Sicherheitsforscher von JFrog haben jetzt eine hochentwickelte Supply-Chain-Attacke auf das npm-Ökosystem aufgedeckt, bei der ein manipuliertes Bitwarden-Paket unbemerkt Schadcode nachlädt. First seen on infopoint-security.de Jump to article: www.infopoint-security.de/bitwarden-cli-kompromittiert-jfrog-warnt-vor-teampcp-angriff-ueber-npm-paket/a44998/
-
Offizielle Daemon Tools-Downloads werden zur Malware-Falle
Ein aktueller Supply-Chain-Angriff auf Daemon Tools sorgt für weltweite Sicherheitsrisiken. Über die offizielle Downloadquelle wurde eine manipulierte Installationsdatei verbreitet, die neben der legitimen Software auch Schadcode enthält. Betroffen sind Nutzer in mehr als 100 Ländern, darunter auch Deutschland. First seen on it-daily.net Jump to article: www.it-daily.net/it-sicherheit/cybercrime/daemon-tools-malware
-
Google expands Android Binary Transparency to counter supply chain attacks
Supply chain attacks on mobile software have grown alongside the expanding role of phones in daily life, from payments to government IDs to AI features. Google is responding … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/05/06/google-android-binary-transparency/
-
Ein falsches Spiel: ScarCruft kompromittiert Spieleplattform in einer Supply-Chain-Attacke
ESET-Forscher haben einen anhaltenden Angriff der APT-Gruppe ScarCruft aufgedeckt, der Windows- und Android-Spiele mit Backdoors gegen Bewohner der chinesischen Region Yanbian einsetzt. First seen on welivesecurity.com Jump to article: www.welivesecurity.com/de/eset-research/ein-falsches-spiel-scarcruft-kompromittiert-spieleplattform-in-einer-supply-chain-attacke/