387 reports
Kimsuky is assessed to have distributed malicious `.pdf.lnk` files disguised as a resume and North Korea policy documents, using a multi-stage PowerShell chain to collect host information and exfiltrate it. The infection saves and runs `firefox.ps1`, esta…
Panther analyzed jsonspack as a DPRK-labeled npm supply-chain campaign involving 27 malicious packages published by eight accounts between March 18 and March 31, 2026, with 3,739 recorded downloads. The packages used developer-tooling names such as Chai p…
DCSO analyzed public indicators from the axios npm compromise and found infrastructure overlaps suggesting possible connections to the DPRK-linked BlueNoroff cluster. The attacker used newly created Proton Mail accounts, compromised the axios maintainer a…
Cisco Talos found that attackers published malicious Axios npm versions 1.14.1 and 0.30.4 on March 31, 2026, leaving the widely used JavaScript HTTP client exposed for about three hours. The modified packages introduced a fake dependency, plain-crypto-js,…
High-impact Node.js and npm maintainers reported being targeted by the same social engineering campaign that led to the Axios npm compromise, indicating a coordinated effort against trusted open-source maintainers rather than a one-off incident. The playb…
North Korea’s malware ecosystem is presented as a deliberately compartmentalized portfolio built for mission specialization, resilience, and attribution ambiguity. The espionage track, associated in the text with Kimsuky, emphasizes low-noise access, cred…
NVISO describes hunting and response activity for the Axios npm supply-chain incident, where compromised Axios releases added the trojanized [email protected] dependency and deployed cross-platform RAT payloads. Its MDR telemetry observed activity mai…
TRM Labs assessed that the April 2026 Drift Protocol theft was likely carried out by North Korean hackers, after attackers drained about $285 million from the Solana-based perpetual futures exchange. On-chain staging began weeks earlier with Tornado Cash …
The npm package express-session-js typosquatted the legitimate express-session middleware and executed malicious code as a side effect of require(), rather than through an install hook. Its dropper retrieved an obfuscated stage-two payload from jsonkeeper…
Flare Research found evidence that North Korean IT worker operators are recruiting people from Iran, Syria, Lebanon, Saudi Arabia, and other countries to support remote employment fraud against Western organizations. Internal documents described facilitat…
Elastic described detecting malicious axios npm releases through a monitoring pipeline that downloaded new package versions, diffed them against prior releases, and used an LLM to flag high-confidence supply-chain compromise. The malicious axios versions …
Veracode found that [email protected] and [email protected] were published after an npm account compromise, with the only Axios change being the addition of plain-crypto-js as a dependency. That dependency was never imported by Axios and existed to run a postinstal…
FortiGuard Labs observed DPRK-related LNK phishing campaigns targeting users in South Korea and other Korean companies through multi-stage PowerShell and VBScript execution on Windows. Earlier variants exposed metadata and GitHub command-and-control detai…
Two malicious Axios releases briefly published to npm introduced a dependency that installed a remote access trojan across macOS, Windows, and Linux. Axios maintainer Jason Saayman said the compromise began with a targeted social engineering operation in …
Two malicious Axios versions, 1.14.1 and 0.30.4, were published to npm on March 31, 2026 after the lead maintainer's account was compromised. The attacker injected [email protected], which installed a remote access trojan on macOS, Windows, and Linux …