387 reports
Elliptic identified multiple indicators suggesting the $286 million Drift Protocol exploit may be linked to DPRK activity, citing on-chain behavior, laundering methods, and network-level indicators consistent with previous DPRK-attributed operations. The …
A malicious actor gained unauthorized administrative control over Drift Protocol by abusing durable nonce accounts and previously obtained multisig approvals. The intrusion was not attributed to a smart-contract flaw or compromised seed phrases; the excer…
Breakglass maps a DPRK Contagious Interview campaign in which North Korean operators pose as recruiters and lure software developers into running ClickFix-style setup commands during fake job interviews. The observed chain uses BeaverTail and InvisibleFer…
360 attributes the Axios npm supply-chain compromise to Lazarus with strong confidence, citing overlaps with GhostCall activity and RustBucket-related macOS components. Attackers hijacked the axios maintainer account and published malicious [email protected] a…
Bitdefender attributes the axios incident to an unknown threat actor, not to any named state group, and describes a supply-chain compromise of the primary maintainer's npm account. The attacker published [email protected] and [email protected] with a hidden plain-c…
SECUI STIC analyzes an Axios supply-chain compromise in which attackers stole maintainer credentials and altered npm installation behavior so a malicious setup.js loader ran automatically when affected packages were installed. The loader used custom obfus…
Malicious Axios npm releases 1.14.1 and 0.30.4 allegedly used a compromised maintainer account to add the hidden [email protected] dependency, causing npm install to execute a postinstall dropper. The excerpt attributes the operation to UNC1069, descr…
Unit 42 reports that compromised Axios npm releases v1.14.1 and v0.30.4 added a hidden dependency, plain-crypto-js, which executed a postinstall dropper and deployed cross-platform RAT payloads on macOS, Windows, and Linux. The infection chain used obfusc…
A malicious Axios 1.14.1 release introduced the trojanized [email protected] dependency, making exposure broader than projects that explicitly listed Axios. The report shows how semver ranges, fresh installs, npx execution, CI tooling, developer CLIs,…
Hunt.io traces the Axios npm compromise to a staged operation involving takeover of maintainer jasonsaayman's npm account, publication of malicious axios releases, and weaponization of [email protected] as a postinstall dropper. The dropper hid its st…
AhnLab ASEC observed Kimsuky changing its malicious LNK distribution chain while still ultimately executing Python-based backdoors or downloaders. Recent LNK lures such as resume and data backup guide files create hidden components under C:\windirr, then …
AhnLab ASEC reported a shift in Kimsuky’s malicious LNK delivery method for Python-based backdoors and downloaders. The newer chain uses document-themed LNK lures, hidden files under C:\windirr, XML Task Scheduler entries, VBS and PowerShell scripts, Drop…
CrowdStrike reports that a threat actor used stolen maintainer credentials on March 31, 2026 to compromise the widely used Axios npm package and deploy updated, platform-specific ZshBucket variants. The activity is attributed to STARDUST CHOLLIMA with mod…
Microsoft attributed the malicious axios npm releases 1.14.1 and 0.30.4 and their command-and-control infrastructure to Sapphire Sleet, a North Korean state actor. The compromise inserted the fake dependency [email protected] so npm installation or up…
Elastic Security Labs analyzed the Axios npm supply-chain compromise in which a compromised maintainer account published backdoored [email protected] and [email protected] releases that pulled the malicious plain-crypto-js dependency. The dependency used an obfusca…