🚨 [New supply chain attack declared]: ecto-flag-read-m7p2 ecto-flag-read-m7p2 is an npm package with a randomized, throwaway-style name, part of a cluster of malicious "ecto" packages now flagged on npm. Malware was found in it (GHSA-ggf2-rhq7-qqgg). Any system with it installed or running is fully compromised, with full control granted to an outside entity. → Rotate all secrets from a clean machine, remove the package, then audit/reimage Full details 👇 supplychainattack.org/incide… #supplychain #SupplyChainSecurity #infosec #CyberSecurity #npm #ecto #malware #DevSecOps #AppSec #ThreatIntel #OpenSource

🚨 [New supply chain attack declared]: Atomic Arch (400 AUR packages hijacked) On June 11, attackers hijacked over 400 packages in the Arch User Repository (AUR), turning them into a malware delivery network via maintainer account takeovers. Impact is limited to Arch Linux systems. → Enable MFA on all AUR maintainer accounts, revoke compromised package versions, restore from known-good sources, and scan Arch systems for IoCs Full details 👇 supplychainattack.org/incide… #supplychain #SupplyChainSecurity #infosec #CyberSecurity #ArchLinux #AUR #AtomicArch #malware #DevSecOps #ThreatIntel #OpenSource

🚨 [New supply chain attack declared]: vite-react-toolkit vite-react-toolkit is an npm package posing as a Vite React starter/toolkit, riding on the popularity of the Vite build tool to lure front-end developers into installing it. Malware was found in it. Any system with it installed or running is fully compromised, with attackers potentially gaining full control. → Rotate all secrets from a clean machine, remove the package, then audit/rebuild Full details 👇 supplychainattack.org/incide… #supplychain #SupplyChainSecurity #infosec #CyberSecurity #npm #vitereacttoolkit #malware #DevSecOps #AppSec #ThreatIntel #OpenSource

🚨 Supply Chain Alert: Shai-Hulud is back [Miasma & Hades variants] 100 npm and PyPI packages compromised by new self-propagating Shai-Hulud worm variants. 471 malicious artifacts identified across both ecosystems. - Miasma (npm): 57 packages, 300 malicious versions. Weaponized binding.gyp to bypass postinstall logic. Hit Vapi SDK, ai-sdk-ollama, node-env-resolver, wrangler-deploy, and more. - Hades (PyPI): ~48 packages across two waves. Uses -setup.pth to execute at Python startup, fetches Bun runtime to run JS. Targets bioinformatics, graph ML, and MCP-themed packages. - Both harvest credentials, cloud keys & tokens, then self-spread by infecting packages the victim can publish to. Data exfiltrated to attacker-created GitHub repos. - Context: TeamPCP released the worm source code in May → clones followed. Red Hat lost 32 packages June 1. Remediation: - Audit npm/PyPI deps installed since June 1 against published IOC lists (Socket, Snyk, Sonatype, StepSecurity, Ox) - Rotate any credentials/tokens exposed on dev or CI machines - Pin & lock dependency versions, disable install scripts (npm ci --ignore-scripts) - Block unexpected binding.gyp / .pth execution in build pipelines - Hunt for unauthorized GitHub repos created under your org Tracked on supplychainattack.org #SupplyChainSecurity #CyberSecurity #DevSecOps #npm #PyPI #ShaiHulud #ThreatIntel #InfoSec #OSS #AppSec #CTI #OpenSource #MalwareAnalysis

🚨 [New supply chain attack declared]: pui-diagnostics pui-diagnostics is an npm package presenting itself as a UI diagnostics/monitoring utility, named to blend into front-end and tooling dependency trees. Malware was found in it (GHSA-96f9-39p2-gjwm). Any system with it installed or running is fully compromised, with attackers potentially gaining full control. → Isolate from network, rotate all secrets from a clean machine, remove the package, then audit/rebuild Full details 👇 supplychainattack.org/incide… #supplychain #SupplyChainSecurity #infosec #CyberSecurity #npm #puidiagnostics #malware #DevSecOps #AppSec #ThreatIntel #OpenSource

🚨 [New supply chain attack declared]: @johntaohunter/forge-jsx @johntaohunter/forge-jsx is an npm package posing as a JSX forging/build utility, part of a cluster of malicious "forge-jsx" packages (alongside forge-jsx2 and forge-jsxy) now flagged on npm. Malware was found in it (GHSA-v9x2-2qjf-q7qp). Any system with it installed or running is fully compromised, with attackers potentially gaining full control. → Rotate all secrets from a clean machine, remove the package, then audit/reimage Full details 👇 supplychainattack.org/incide… #supplychain #SupplyChainSecurity #infosec #CyberSecurity #npm #forgejsx #malware #DevSecOps #AppSec #ThreatIntel #OpenSource

🚨 [New supply chain attack declared]: experian-analytics-components experian-analytics-components is an npm package posing as an Experian analytics component library, impersonating the Experian brand to target fintech, credit, and data-analytics developer workflows. Malware was found in it (GHSA-wg43-49xc-v68q). Any system with it installed or running is fully compromised, with attackers potentially gaining full control. → Rotate all secrets from a clean machine, remove the package, then audit/reimage Full details 👇 supplychainattack.org/incide… #supplychain #SupplyChainSecurity #infosec #CyberSecurity #npm #experian #malware #DevSecOps #AppSec #ThreatIntel #OpenSource

🚨 [New supply chain attack declared]: @ngt-frontend/widgets-core @ngt-frontend/widgets-core is an npm package posing as a core UI widgets library under the @ngt-frontend scope, blending in as legitimate front-end component tooling. Malware was found in it (GHSA-x2r7-fmjp-vqq2). Any system with it installed or running is fully compromised, with full control granted to an outside entity. → Rotate all secrets from a clean machine, remove the package, then audit/rebuild Full details 👇 supplychainattack.org/incide… #supplychain #SupplyChainSecurity #infosec #CyberSecurity #npm #ngtfrontend #malware #DevSecOps #AppSec #ThreatIntel #OpenSource

🚨 [New supply chain attack declared]: emittery_styled emittery_styled is an npm package whose name blends "emittery" (a popular event-emitter library) with styling utilities, likely to look legitimate to JS developers. Malware was found in it (GHSA-j6hp-9w2p-jwpw). Any system with it installed or running is fully compromised, with attackers potentially gaining full control. → Isolate from network, rotate all secrets from a clean machine, remove the package, then audit/rebuild Full details 👇 supplychainattack.org/incide… #supplychain #SupplyChainSecurity #infosec #CyberSecurity #npm #emitterystyled #malware #DevSecOps #AppSec #ThreatIntel #OpenSource

🚨 [New supply chain attack declared]: tw-fluid-type tw-fluid-type is an npm package posing as a Tailwind CSS fluid-typography helper, riding on Tailwind's popularity to lure front-end developers into installing it. Malware was found in it (GHSA-53h7-3qgm-jr76). Any system with it installed or running is fully compromised. → Rotate all secrets from a clean machine, remove the package, then audit/rebuild Full details 👇 supplychainattack.org/incide… #supplychain #SupplyChainSecurity #infosec #CyberSecurity #npm #twfluidtype #malware #DevSecOps #AppSec #ThreatIntel #OpenSource

🚨 [New supply chain attack declared]: routing-controls routing-controls is an npm package presenting itself as a routing/access-control utility for JS apps, named to blend into backend and web framework dependency trees. Malware was found in it (GHSA-jmhh-mvpj-27qq). Any system with it installed or running is fully compromised, with full control possibly handed to an outside entity. → Isolate from network, rotate all secrets from a clean machine, remove the package, then audit/rebuild Full details 👇 supplychainattack.org/incide… #supplychain #SupplyChainSecurity #infosec #CyberSecurity #npm #routingcontrols #malware #DevSecOps #AppSec #ThreatIntel #OpenSource

🚨 [New supply chain attack declared]: paypal-payouts-bridge paypal-payouts-bridge is an npm package posing as a PayPal Payouts integration/bridge library, impersonating the PayPal brand to target payment and fintech developer workflows. Malware was found in it (GHSA-fpch-j6rr-8r63). Any system with it installed or running is fully compromised. → Isolate from network, rotate all secrets from a clean machine, remove the package, then audit/reimage Full details 👇 supplychainattack.org/incide… #supplychain #SupplyChainSecurity #infosec #CyberSecurity #npm #paypalpayoutsbridge #malware #DevSecOps #AppSec #ThreatIntel #OpenSource

🚨 [New supply chain attack declared]: google-cloud-secret-manager-config-poc google-cloud-secret-manager-config-poc is an npm package posing as a Google Cloud Secret Manager config helper/PoC, impersonating GCP tooling to target cloud and DevOps developer workflows. Malware was found in it (GHSA-g6v5-9xpp-6hpx). Any system with it installed or running is fully compromised, with attackers potentially gaining full control. → Rotate all secrets and cloud credentials from a clean machine, remove the package, then audit/reimage Full details 👇 supplychainattack.org/incide… #supplychain #SupplyChainSecurity #infosec #CyberSecurity #npm #gcp #malware #DevSecOps #CloudSecurity #ThreatIntel #OpenSource

🚨 [New supply chain attack declared]: polymarket-clob-api polymarket-clob-api is an npm package posing as a client for Polymarket's CLOB (central limit order book) API, impersonating the Polymarket brand to target crypto/prediction-market and trading bot developers. Malware was found in it (GHSA-95f6-59wp-jpv8). Any system with it installed or running is fully compromised, with full control possibly handed to an outside entity. → Rotate all secrets from a clean machine, remove the package, then audit/reimage Full details 👇 supplychainattack.org/incide… #supplychain #SupplyChainSecurity #infosec #CyberSecurity #npm #polymarketclobapi #malware #DevSecOps #Web3Security #ThreatIntel #OpenSource

🚨 [New supply chain attack declared]: tailwind-dark-mode-kit tailwind-dark-mode-kit is an npm package posing as a Tailwind CSS dark-mode toolkit, riding on Tailwind's popularity to lure front-end developers into installing it. Malware was found in it (GHSA-63rx-hcxw-wmpq). Any system with it installed or running is fully compromised. → Rotate all secrets from a clean machine, remove the package, then audit/rebuild Full details 👇 supplychainattack.org/incide… #supplychain #SupplyChainSecurity #infosec #CyberSecurity #npm #tailwinddarkmodekit #malware #DevSecOps #AppSec #ThreatIntel #OpenSource

🚨 [New supply chain attack declared]: @common-stack/generate-plugin @common-stack/generate-plugin is an npm package posing as a plugin generator under the @common-stack scope, blending in as legitimate developer tooling. Malware was found in it (GHSA-6p55-6hvr-3xmg). Any system with it installed or running is fully compromised. → Rotate all secrets and signing keys from a clean machine, remove the package, then audit/rebuild Full details 👇 supplychainattack.org/incide… #supplychain #SupplyChainSecurity #infosec #CyberSecurity #npm #commonstack #malware #DevSecOps #AppSec #ThreatIntel #OpenSource

🚨 [New supply chain attack declared]: justgetit justgetit is a malicious npm package using a generic, catchy name to look like a simple download/fetch helper, luring developers into installing it. Malware was found in it (GHSA-4qrx-h7cq-cqh6). Any system with it installed or running is fully compromised, with attackers gaining full control. → Isolate from network, rotate all secrets from a clean machine, remove the package, then audit/reimage Full details 👇 supplychainattack.org/incide… #supplychain #SupplyChainSecurity #infosec #CyberSecurity #npm #justgetit #malware #DevSecOps #AppSec #ThreatIntel #OpenSource

🚨 [New supply chain attack declared]: apple-mycelium-fix apple-mycelium-fix is a malicious npm package using an Apple-themed name to look like a legitimate fix or patch utility, luring developers into installing it. Malware was found in it (GHSA-fjcr-w74v-m2qw). Any system with it installed or running is fully compromised, with full control possibly handed to an outside entity. → Rotate all secrets from a clean machine, remove the package, then audit/reimage Full details 👇 supplychainattack.org/incide… #supplychain #SupplyChainSecurity #infosec #CyberSecurity #npm #applemyceliumfix #malware #DevSecOps #AppSec #ThreatIntel #OpenSource

🚨 [New supply chain attack declared]: rsflows-pexml rsflows-pexml is an npm package presenting itself as a workflow/XML processing utility for JS apps, with an obscure name that helps it slip into dependency trees unnoticed. Malware was found in it (GHSA-m2qp-j4c5-7m6m). Any system with it installed or running is fully compromised, with attackers potentially gaining full control. → Isolate from network, rotate all secrets from a clean machine, remove the package, then audit/rebuild Full details 👇 supplychainattack.org/incide… #supplychain #SupplyChainSecurity #infosec #CyberSecurity #npm #rsflowspexml #malware #DevSecOps #AppSec #ThreatIntel #OpenSource