The FBI has issued an alert about TeamPCP, a criminal group that compromises the developer and security tools organizations trust inside their build pipelines to steal cloud credentials at scale. Rather than targeting end users, TeamPCP injects malicious code into legitimate software such as the Trivy and KICS scanners and the LiteLLM library, then pushes trojanized updates that continuous integration systems pull in automatically. Its malware harvests AWS, Google Cloud, and Azure tokens, Kubernetes service-account credentials, and more. One technique the FBI highlights is taking over npm maintainer accounts by re-registering the maintainer's long-expired recovery email domain, then using password reset to publish malicious package versions.
Socket detailed PolinRider, an active North Korean supply-chain campaign that has planted 108 malicious packages and a browser extension across the npm, Go, and Packagist ecosystems, expanding the developer-targeting activity behind this week's Rollup npm packages. Operators take over legitimate GitHub maintainer accounts, often via expired-domain or account-recovery abuse, then bulk-modify repositories and publish infected versions. To stay hidden, they rewrite Git history so malicious commits look old, pad one-line loaders with whitespace to push them off screen, and disguise payloads as font files. Some trigger automatically through VS Code task settings when a developer simply opens the project folder in an editor like VS Code or Cursor.
Researchers at runZero disclosed seven vulnerabilities in FatFs, a tiny filesystem library that lets devices read FAT and exFAT media like USB drives and SD cards and that is bundled into the firmware of countless embedded and industrial products. The most serious, CVE-2026-6682, is an integer overflow when mounting a FAT32 volume that can lead to memory corruption and code execution, and several bugs are reachable through firmware update flows, not just physical media. The hard part is patching: FatFs is maintained by a single developer who did not respond to the researchers, so most of the memory-corruption flaws have no upstream fix and downstream vendors may never learn they are affected.
JFrog found a new set of malicious npm packages, linked to North Korea, that impersonate legitimate Rollup polyfill tooling closely enough to pass a quick dependency review, down to matching names and metadata. Installing them pulls in hidden second-stage packages disguised as SVG utilities, which fetch and run a JavaScript payload while checking that they are not in a sandbox or cloud build. The malware hunts for developer secrets, and notably targets the configuration and history of AI coding tools like Cursor alongside AWS, Azure, SSH, and npm credentials. Because build plugins run on developer machines and in CI, a single poisoned dependency can expose source code, tokens, and cloud keys.
Sekoia found a campaign that targets security researchers by planting a Python remote access trojan, ChocoPoC, in proof-of-concept exploits published on GitHub. Rather than putting malware in the exploit code itself, the attackers add a malicious package to the PoC's dependency list on the Python Package Index, so simply installing and running the exploit pulls down the trojan, which can run commands and steal data. At least seven repositories posed as PoCs for flaws in products like FortiWeb, PAN-OS, Ivanti Sentry, and Check Point VPN, with downloads spiking after each new vulnerability made headlines. One malicious package was fetched about 2,400 times, mostly on Linux.
A public proof-of-concept has been released for a critical flaw in libssh2 (CVE-2026-55200), the client-side SSH library embedded in curl, Git, PHP, backup agents, firmware updaters, and countless appliances. A malicious or compromised SSH server can send a crafted packet that corrupts memory on the connecting client, with no credentials or user interaction needed, potentially leading to code execution. Rated 9.2, the bug affects all versions through 1.11.1. The fix was merged into the source on June 12, but no tagged release exists yet, so distributions are backporting it. The hardest part is that libssh2 is often statically bundled, so package updates miss those copies entirely.
Researchers at Mozilla's 0DIN found that an AI coding agent told to clone and set up a seemingly harmless GitHub repository can be tricked into running malware that stays invisible to security scanners, the agent itself, and human reviewers. The trick is that nothing malicious sits in the repository's files. Instead, a routine-looking setup command runs a script that fetches a value hidden in a DNS TXT record and executes it as a shell command, pulling down and running an attacker's payload like a reverse shell. Because the payload lives outside the repo and arrives over DNS at setup time, code review and static scanning see nothing wrong.
Socket reports a new wave of the self-spreading Shai-Hulud supply-chain worm, in its Miasma and Hades variants, that compromised more npm packages and, for the first time, reached the Go ecosystem. On June 24 attackers used a hijacked maintainer account to push trojanized versions of LeoPlatform and RStreams npm packages, tied to cloud and serverless workloads, and also poisoned a Go module from the Verana blockchain project. The malware harvests developer and CI/CD credentials, abuses GitHub Actions, and polls GitHub hourly for a marker commit to pull down its Hades payload. Researchers note the campaign keeps shifting ecosystems and indicators to stay ahead of detection rather than changing its core behavior.
Wiz Research found a high-severity flaw in Amazon Q Developer, Amazon's AI coding assistant, that let a malicious code repository run commands and steal a developer's cloud credentials simply by being opened. The bug (CVE-2026-12957) lay in how Amazon Q handled Model Context Protocol servers: it read an MCP configuration file from the open workspace and automatically launched the servers it defined. Because those servers run as local processes that inherit the developer's full environment, a single config file committed to a repo could reach AWS keys, cloud tokens, API secrets, and SSH agent sockets, turning a git clone into a full compromise. Amazon has patched the issue and published an advisory.
The crypto prediction market Polymarket says attackers stole close to $3 million from users after compromising a third-party vendor and injecting a malicious script into the platform's website. The script ran on the live site and prompted users connecting their wallets to approve transactions that drained their funds; researchers traced roughly $2.94 million taken from around a dozen accounts and bridged into Ethereum. Because the attack rode in through a trusted frontend dependency rather than Polymarket's own systems, it was invisible to users. Polymarket removed the dependency, contained the incident, and pledged full refunds. It was the platform's second security incident in two months.