🧯 Supply Chain Incidents

• CanisterWorm: npm Publisher Compromise Deploys Backdoor Across 29+ Packages
• GlassWorm Loader Hits Open VSX via Developer Account Compromise
• SANDWORM_MODE: Shai-Hulud-Style npm Worm Hijacks CI Workflows and Poisons AI Toolchains
• Shai Hulud Strikes Again (v2)
• Popular Tinycolor npm Package Compromised in Supply Chain Attack Affecting 40+ Packages
• npm 'is' Package Hijacked in Expanding Supply Chain Attack
• Massive npm Malware Campaign Leverages Ethereum Smart Contracts To Evade Detection and Maintain Control

🇰🇵 North Korea — Contagious Interview

• Inside the GitHub Infrastructure Powering North Korea's Contagious Interview npm Attacks
• North Korea's Contagious Interview Campaign Escalates: 338 Malicious npm Packages, 50,000 Downloads
• Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader
• Another Wave: North Korean Contagious Interview Campaign Drops 35 New Malicious npm Packages
• Lazarus Expands Malicious npm Campaign: 11 New Packages Add Malware Loaders and Bitbucket Payloads
• Lazarus Strikes npm Again with New Wave of Malicious Packages
• North Korean APT Lazarus Targets Developers with Malicious npm Package

📊 Threat Landscape & Cross-Ecosystem Research

• Surveillance Malware Hidden in npm and PyPI Packages Targets Developers with Keyloggers, Webcam Capture, and Credential Theft
• Identifying and Preventing Fraudulent Engineering Candidates: An Investigation into 80 Confirmed Cases
• 2025 Blockchain and Cryptocurrency Threat Report: Malware in the Open Source Supply Chain
• The Landscape of Malicious Open Source Packages: 2025 Mid‑Year Threat Report
• Weaponizing OAST: How Malicious Packages Exploit npm, PyPI, and RubyGems for Data Exfiltration and Recon

📦 npm / JavaScript / TypeScript

• Spearphishing Campaign Abuses npm Registry to Target U.S. and Allied Manufacturing and Healthcare Organizations
• Wallet-Draining npm Package Impersonates Nodemailer to Hijack Crypto Transactions
• 60 Malicious npm Packages Leak Network and Host Data in Active Malware Campaign
• Malicious Koishi Chatbot Plugin Exfiltrates Messages Triggered by 8-Character Hex Strings
• Backdooring the IDE: Malicious npm Packages Hijack Cursor Editor on macOS
• Black Basta's Dependency Confusion Ambitions and Ransomware in Open Source Ecosystems
• Gmail For Exfiltration: Malicious npm Packages Target Solana Private Keys and Drain Victims' Wallets
• Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
• Typosquatting Cryptographic Libraries: Malicious npm Packages Threaten Crypto Developers with Keylogging and Wallet Theft
• Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
• Skuld Infostealer Returns to npm with Fake Windows Utilities and Malicious Solara Development Packages
• Roblox Developers Targeted with npm Packages Infected with Skuld Infostealer and Blank Grabber
• Author Typosquatting on npm: Attackers Impersonate Sindre Sorhus with Malicious 'chalk-node' Package

🐍 PyPI / Python

• PyPI Package Impersonates SymPy to Deliver Cryptomining Malware
• Monkey-Patched PyPI Packages Use Transitive Dependencies to Steal Solana Private Keys
• The Bad Seeds: Malicious npm and PyPI Packages Pose as Developer Tools to Steal Wallet Credentials
• Malicious PyPI Package Exploits Deezer API for Coordinated Music Piracy
• Typosquatting on PyPI: Malicious Package Mimics Popular 'browser-cookie3' Library to Steal Sensitive Data

🐹 Go Modules / Golang

• Malicious Go "crypto" Module Steals Passwords and Deploys Rekoobe Backdoor
• Malicious Go Packages Impersonate Google's UUID Library and Exfiltrate Data
• Malicious Go Module Disguised as SSH Brute Forcer Exfiltrates Credentials via Telegram
• Typosquatted Go Packages Deliver Malware Loader Targeting Linux and macOS Systems
• Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence

☕ Maven Central / Java

• Malicious Maven Package Impersonating 'XZ for Java' Library Introduces Backdoor Allowing Remote Code Execution

♦️ RubyGems / Ruby

• 60 Malicious Ruby Gems Used in Targeted Credential Theft Campaign
• Malicious Ruby Gems Exfiltrate Telegram Tokens and Messages Following Vietnam Ban

⚙️ NuGet / .NET

• Malicious NuGet Package Typosquats Popular .NET Tracing Library to Steal Wallet Passwords
• Malicious NuGet Packages Typosquat Nethereum to Exfiltrate Wallet Keys

🦀 Rust / Crates

• 5 Malicious Rust Crates Posed as Time Utilities to Exfiltrate .env Files
• Two Malicious Rust Crates Impersonate Popular Logger to Steal Wallet Keys

🧩 Extensions / Chrome / VS Code / OpenVSX

• 72 Malicious Open VSX Extensions Linked to GlassWorm Campaign Now Using Transitive Dependencies
• Fake imToken Chrome Extension Steals Seed Phrases via Phishing Redirects
• Malicious Chrome Extension Steals Meta Business Manager Exports and TOTP 2FA Seeds
• Malicious Chrome Extension Steals MEXC API Keys for Account Takeover
• Malicious Chrome Extension Exfiltrates Seed Phrases, Enabling Wallet Takeover
• 131 Spamware Extensions Targeting WhatsApp Flood Chrome Web Store

🕵️ Cybercrime, Underground Economy & Influence Research

• Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
• Noxia: Emerging Dark Web Hosting Provider Targets Python, Node.js, Go, and Rust Ecosystems
• Current Trends in the Turkish-Language Dark Web
• Combating Human Trafficking With Threat Intelligence — Prosecution
• The Business of Fraud: An Overview of How Cybercrime Gets Monetized
• Checkers and Brute Forcers Highlight Dangers of Poor Password Management
• Combating the Underground Economy's Automation Revolution
• The Price of Influence: Disinformation in the Private Sector