A malicious package campaign across npm, PyPI, and Crates.io has put developer workstations back under scrutiny, after researchers said it targeted developer workflows and AI coding assistant files.
Researchers at Socket said the campaign, which they are tracking as TrapDoor, “spans more than 34 malicious packages and 384+ related versions and artifacts” across the three open-source…
แพ็กเกจ npm และ PyPI หลายตัวถูกฝังมัลแวร์ Mini Shai-Hulud ผ่าน GitHub Actions
Body
บริษัทความปลอดภัย Socket ประกาศตรวจพบว่าแพ็กเกจซอฟต์แวร์ชื่อดังหลายตัวในระบบ npm และ PyPI โดนฝัง มัลแวร์กลุ่ม Mini Shai-Hulud ที่เคยอาละวาดช่วงปลายปี 2025 (ตั้งชื่อตามหนอนยักษ์ในเรื่อง Dune) และก่อนหน้านี้เพิ่งเคยเจาะแพ็กเกจ npm ตัวอื่นคือ SAP, Intercom กับแพ็กเกจ PyPI lightning เมื่อช่วงปลายเดือนเมษายน…
Socket:
Many npm packages for Mistral, UiPath, TanStack's web dev tools like react-router, and more were compromised, likely in the Mini Shai-Hulud supply chain attack — - Immediate triage: Run shasum -a 256 on all router_init.js files in your dependency tree.
Socket
Bitwarden CLI 2026.4.0 was compromised in the Checkmarx supply chain campaign after attackers abused a GitHub Action in Bitwarden’s CI/CD pipeline.
The threat actor targeted a highly popular open source project with more than 100 million weekly downloads, creating a large "blast radius."
Socket:
A supply chain attack compromises HTTP client Axios, which has 100M weekly npm downloads, introducing a malicious dependency and deploying a multi-stage payload — Socket Research Team … Our analysis shows the malicious package deploys a multi-stage payload, including a remote access trojan …
la ironía de la seguridad: las github actions de trivy secuestradas (otra vez)
En un giro del destino que haría que cualquier SRE se sirviera un trago fuerte, Trivy —el escáner de vulnerabilidades estándar de la industria mantenido por Aqua Security— ha sido comprometido por segunda vez en un mes. Parece que la herramienta diseñada para encontrar brechas en tu infraestructura era, en sí misma,…
Attackers have compromised the widely used open-source Trivy vulnerability scanner, injecting credential-stealing malware into official releases and GitHub Actions used by thousands of CI/CD workflows. The breach could trigger a cascade of additional supply-chain compromises if impacted projects and organizations don’t rotate their secrets immediately.
The attack, disclosed by Trivy maintainers…
A group of more than two dozen malicious npm packages used to steal secrets and credentials from software developers has all the hallmarks – from infrastructure to operations – of Famous Chollima, the North Korean nation-state actor linked to the ongoing high-profile Contagious Interview scam. Threat researchers with Socket and Kieran Miyamoto of the DPRK […]
The crates.io team will no longer publish a blog post each time a malicious crate is detected or reported. In the vast majority of cases to date, these notifications have involved crates that have no evidence of real world usage, and we feel that publishing these blog posts is generating noise, rather than signal.
We will always publish a RustSec advisory when a crate is removed for containing…