387 reports
Malicious axios versions 1.14.1 and 0.30.4 were published to npm through a compromised maintainer account, affecting both modern and legacy branches of a package with more than 100 million weekly downloads. The attacker did not alter Axios source code dir…
An attacker hijacked the npm account of Axios lead maintainer jasonsaayman and published malicious axios versions 1.14.1 and 0.30.4 on March 31, 2026. The poisoned releases added [email protected], whose postinstall script ran during npm install and d…
Datadog analyzes the March 31, 2026 axios npm compromise in which a hijacked maintainer account published [email protected] and [email protected] with a new dependency on plain-crypto-js. The typosquatted package cloned crypto-js but added a postinstall setup.js sc…
ThreatBook attributes the Axios npm supply-chain poisoning incident to Lazarus Group, citing long-term tracking, malware behavior, and infrastructure pivots. The attack used a hijacked Axios maintainer account to publish [email protected] and [email protected] with…
Socket analyzed the axios supply-chain compromise in which [email protected] and [email protected] pulled the malicious [email protected] dependency through npm. The dependency’s postinstall hook ran setup.js, decoded obfuscated module names, commands, paths, a…
The analysis describes an axios supply-chain compromise in which axios v1.14.1 and v0.30.4 were published directly through npm CLI with a malicious plain-crypto-js dependency, diverging from normal GitHub Actions OIDC provenance. The attacker reportedly c…
StepSecurity identified malicious npm releases [email protected] and [email protected] published through compromised maintainer credentials rather than the project’s normal GitHub Actions OIDC Trusted Publisher flow. The attacker added an unused runtime dependency,…
Attackers hijacked the jasonsaayman npm account and published malicious [email protected] and [email protected], adding [email protected] solely to run a postinstall dropper. The package contacted sfrclak[.]com:8000 and installed platform-specific RAT payloads …
HAURI analyzed a Korean campaign that disguised malware as a required integrated security installer used for banking and public-sector websites, with the archive mimicking Veraport by using a similar filename and normal-looking installation flow. The infe…
A 60 Minutes Australia investigation reported that North Korean operatives are seeking remote IT roles at Australian and other technology companies using false identities, fake resumes, and online interview deception. The scheme is described as both sanct…
North Korea-linked groups remained highly active in Q1 2026, with Lazarus, BlueNoroff, Andariel, Famous Chollima/UNC1069, ScarCruft/APT37, Kimsuky, and Konni tied to financially motivated and espionage activity. The DPRK-relevant campaigns centered on fak…
38 North focuses on how DPRK-linked actors convert stolen cryptocurrency into usable funds after hacks and laundering. The article cites estimates that DPRK stole about $3 billion in 58 cyberattacks from 2017 to 2023, plus the Lazarus Group's approximatel…
eSentire TRU detected EtherRAT in a retail customer environment in March 2026 and notes that Sysdig has linked the Node.js backdoor to a North Korean APT through overlaps with Contagious Interview TTPs. The observed intrusion used ClickFix to run pcalua.e…
Mandiant’s M-Trends 2026 reported that North Korean IT worker incidents showed a median dwell time of 122 days in 2025, matching the persistence observed in cyber espionage cases. The broader incident data shows attackers increasingly exploiting gaps in i…
Sophos CTU reports that NICKEL ALLEY, a North Korean government-linked group, continued Contagious Interview operations against technology professionals through fake companies, fake jobs, malicious GitHub repositories, and developer assessment lures. Sinc…