387 reports
SentinelLABS analyzed macOS.Gaslight, a Rust-based macOS implant and infostealer assessed with high confidence as part of DPRK-aligned macOS activity. The malware uses Telegram Bot API polling for C2, AES-GCM encryption over certificate-pinned TLS, and ru…
Lazarus is presented as a North Korean state-backed umbrella of related teams that blends espionage, disruptive attacks, cryptocurrency theft, supply chain compromise, and IT-worker infiltration. The article highlights major attributed incidents including…
The episode examines the behavioral layer that makes DPRK-linked fake interview campaigns work before obvious malware execution. The source describes how recruiter messages, plausible companies, broken calls, shared repositories, browser prompts, login re…
A hijacked npm maintainer account republished more than 140 Mastra packages with one added dependency on the typosquatted `easy-day-js` package, leaving Mastra's own library code unchanged while moving malware one dependency hop away. The malicious `easy-…
A compromised dormant maintainer account republished more than 140 Mastra npm packages with a malicious dependency on `easy-day-js`, a clean-then-armed typosquat that installed a two-stage JavaScript backdoor. The payload stole browser history and data fr…
A DPRK-linked attacker compromised seven high-privilege Humanity Protocol keys stored on one director's laptop, giving them enough signatures to defeat both Ethereum and BSC Gnosis Safe thresholds. The attacker transferred ProxyAdmin ownership, upgraded t…
An attacker compromised the @mastra npm organization and republished more than 140 Mastra ecosystem packages with a dependency on the typosquatted `easy-day-js` package. The malicious `[email protected]` release used a postinstall dropper to disable TLS…
A compromised Mastra maintainer account was used to publish 116 malicious npm packages, mostly under the `@mastra/` namespace, with a postinstall script designed to exfiltrate credentials and remove itself. Mastra identified the attack the evening of June…
A malicious npm dependency, easy-day-js, was added to 143 Mastra packages as a production dependency, causing fresh installs to resolve from a clean decoy version to weaponized [email protected] through a caret version range. Its obfuscated postinstall …
A compromised Mastra npm release wave added the typosquatted dependency `easy-day-js`, whose `postinstall` hook executed during dependency installation and pulled a second-stage Node.js implant from attacker-controlled infrastructure. The implant installe…
An attacker reused a dormant former Mastra contributor npm account to republish 143 @mastra packages on June 17, 2026, adding a dependency on easy-day-js that resolved to a malicious postinstall version. The dropper fetched a second-stage Node RAT from Ho…
Sapphire Sleet compromised the Mastra npm ecosystem by taking over the `ehindero` maintainer account and injecting the malicious `easy-day-js` typosquat into more than 140 `mastra` and `@mastra` packages. The weaponized package ran a postinstall dropper t…
AhnLab observed malicious Windows LNK files disguised as resumes that show a benign decoy document while creating batch, PowerShell, and VBScript files under public user directories. The chain registers an `office365` scheduled task to run every 10 minute…
AhnLab observed a malicious Windows shortcut disguised as a personal information consent document that runs obfuscated PowerShell and retrieves additional scripts for fileless execution. The chain creates downloader and loader PowerShell scripts, establis…
A stale former contributor npm account was used to republish the Mastra npm scope with a malicious `easy-day-js` dependency that executed at install time. The dropper disabled TLS validation, fetched a second-stage payload from a raw IP, and installed a c…