387 reports
OpenSourceMalware attributes PolinRider to a DPRK-linked actor connected to Lazarus activity, Contagious Interview, and TasksJacker, with confirmed infections across 1,951 public GitHub repositories and 1,047 owners as of April 11, 2026. The campaign appe…
Panther analyzed [email protected], an npm package attributed in the excerpt to DPRK/Famous Chollima activity and built to target developers running automated Polymarket trading bots. The package masqueraded as a logging utility and executed at require()…
OpenAI identified exposure to the broader Axios supply-chain compromise when a GitHub Actions workflow used for macOS app signing downloaded and executed malicious Axios version 1.14.1 on March 31, 2026. The affected workflow had access to certificate and…
Malicious Axios npm versions `[email protected]` and `[email protected]` were observed in a customer environment after attackers abused npm lifecycle execution through a hidden dependency. The postinstall chain launched shell and PowerShell activity, downloaded a s…
KrCERT/CC warned that Inswave WGear, an enterprise banking electronic-finance component used for large Excel processing, contains a remote code execution vulnerability. The affected scope is WGear 1.100.7.0205 and earlier, except 1.100.2.25091, with remed…
Drift Protocol was drained after an attacker spent weeks preparing a fake Solana token, durable nonce transactions, and social-engineering conditions around multisig signing. The attacker created CarbonVote Token, seeded minimal liquidity, wash-traded it …
ReversingLabs found the graphalgo fake recruiter-test campaign continuing with new fake blockchain companies and GitHub organizations designed to make malicious job assignments appear legitimate. The activity used recruiter personas, fake company infrastr…
Chainalysis reports that Drift Protocol lost about $285 million on April 1, 2026 in a highly coordinated Solana DeFi attack with preliminary indicators consistent with DPRK-linked operations, though formal attribution was still pending. According to Drift…
The archived thread links the axios supply-chain attack to BlueNoroff's GhostCall campaign and says an updated SysPhon, also known as WAVESHAPER, was used to profile valuable hosts and fetch additional payloads. The attack abused an attacker-controlled de…
An unnamed source allegedly provided data from an internal North Korean payment server containing 390 accounts, chat logs, crypto transactions, fake identities, and browser history tied to DPRK IT worker operations. The material describes luckyguys[.]site…
SectorA activity in March 2026 focused heavily on developer and cryptocurrency targets, using LinkedIn-style lures, malicious repositories, Visual Studio Code automation, npm package abuse, and legitimate platforms such as GitHub, Vercel, and Google Drive…
FortiGuard Labs identifies a Kimsuky campaign targeting South Korean organizations through phishing-delivered LNK files that abuse GitHub as command-and-control infrastructure. The LNK files display decoy PDFs while running obfuscated PowerShell that perf…
PhatomCandle tracked EtherRAT distribution through malicious MSI installers disguised as common IT administration tools, with TTP overlap to an APT group suspected of association with the DPRK. The lures targeted administrators and support personnel by sp…
The FBI IC3 2025 report recorded 1,008,597 cybercrime complaints and more than $20.8 billion in reported losses, with cyber-enabled fraud accounting for most losses. Investment fraud, business email compromise, tech support scams, phishing and spoofing, e…
Group-IB traced a DPRK IT worker ecosystem from a previously reported email address to GitHub accounts, portfolio sites, resume materials, freelance platform activity, and archived persona packages that supported fake remote developer identities. The acti…