Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: supply-chain (85 articles)Clear

Chrome ad blocker with 10 million installs hides dormant code-injection capability

Researchers at Island found that a popular Chrome extension, "Adblock for YouTube," with more than 10 million installs and a Featured badge, contains the machinery to run arbitrary JavaScript on any website the user visits. The extension works as advertised, but it can fetch a rule from its server that creates script elements with attacker-supplied content, giving access to page data, sessions, and forms. The capability is dormant, not absent: switching it on takes a single server-side change, with no extension update and no store review. The add-on changed ownership years ago, requests access to all sites, and is linked to other extensions previously pulled for malware.

Check
Inventory browser extensions across the organization, flag high-permission ones like ad blockers that request access to all sites, and identify extensions that fetch configuration or rules from external servers.
Affected
Anyone using the 'Adblock for YouTube' Chrome extension or similar high-install add-ons with all-site access and server-controlled logic; a single server change could turn them into code-injection tools.
Fix
Remove or restrict extensions whose permissions exceed their purpose, prefer those with self-contained rules over server-controlled ones, enforce an extension allowlist, and monitor for ownership and permission changes.

Cordyceps CI/CD weakness lets anonymous pull requests hijack build pipelines

Researchers at Novee disclosed Cordyceps, a systemic class of weaknesses in CI/CD pipelines, especially GitHub Actions workflows, that lets an attacker with nothing more than a free account hijack a project's build and release process. The danger is not a single bug but how workflows chain together: an untrusted pull request or comment feeds a low-privilege workflow whose output flows into a higher-privilege one, ending in stolen credentials, poisoned artifacts, or malicious releases. A scan of 30,000 repositories found over 300 fully exploitable, with fixes confirmed by Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation. Standard scanners miss it because they check files in isolation.

Check
Audit your GitHub Actions and other CI/CD workflows for steps that pass untrusted pull-request or comment data into higher-privilege jobs, and inventory where workflow tokens grant cloud or registry access.
Affected
Organizations whose CI/CD pipelines run workflows triggered by untrusted pull requests or comments, particularly GitHub Actions setups where low-privilege and high-privilege jobs share data and tokens across trust boundaries.
Fix
Treat workflow files as security-critical code, apply least privilege to workflow tokens, isolate untrusted pull-request triggers, sanitize data crossing between jobs, and review CI/CD changes generated by AI coding tools.

Fake AI agent skill slips past every scanner to reach 26,000 agents

Security firm AIR showed how easily AI agent skills can be weaponized by building a benign-looking design skill, publishing it to marketplaces, and promoting it with an Instagram ad until it reached roughly 26,000 agents, including some on corporate accounts. Every skill-scanning tool they tested, including offerings from Cisco and Nvidia, marked it safe. The trick is that the skill itself stays clean but tells the agent to fetch instructions from an external page the attacker controls, which passes review while pointing at harmless content and can be swapped for a malicious install script later. Skills load into an agent with the same authority as a user's prompt.

Check
Inventory which AI agent skills your team has installed, especially any that instruct agents to fetch instructions or scripts from external URLs, and review what local access those agents have.
Affected
Teams using AI agents that install third-party skills, particularly skills that pull instructions from external sites; a one-time safety scan cannot catch content that changes after review.
Fix
Restrict agents to vetted skills from trusted sources, distrust skills that fetch external instructions, monitor agent access to privileged local resources, and never rely on a single scan to judge safety.

Malicious npm packages mimic PostCSS tools to plant Windows remote-access trojan

JFrog found malicious npm packages that impersonate PostCSS build tools to drop a multi-stage Windows remote-access trojan on developer machines. One package, postcss-minify-selector-parser, is named to look like the widely used postcss-selector-parser library, which sees over 127 million weekly downloads, and even lists the real package as a dependency to seem plausible during a quick review. Once installed, it writes and runs a PowerShell script that pulls down the trojan. A second cluster of five packages delivers a dropper during npm install, with one server-side component that only serves the payload to victims matching a specific signature. Affected developers should remove the packages and rotate credentials.

Check
Check developer machines and build systems for the named malicious npm packages and any unexpected PowerShell activity or dropped executables that started during a recent npm install.
Affected
Developers who installed the lookalike PostCSS packages or the related five-package cluster; the payload is a Windows remote-access trojan that runs at install time on developer and build machines.
Fix
Remove the malicious packages and their artifacts, rotate credentials from affected machines, pin and verify dependencies, block install-time scripts in CI, and watch for typosquatted names close to popular libraries.

Hacked WordPress plugin updates push credential-stealing backdoor to paying sites

Attackers compromised the build pipeline of ShapedPlugin, a WordPress plugin maker, and slipped malware into legitimate updates delivered to paying customers through the vendor's own update system. The tainted releases install a fake plugin that impersonates WooCommerce components, steals site credentials, and gives attackers the ability to write files remotely. Three paid plugins are affected: Product Slider Pro for WooCommerce, Real Testimonials Pro, and Smart Post Show Pro. The backdoor was injected into Pro builds on May 21, with the first customer reports on June 10. Versions on WordPress.org stayed clean, pointing to a compromise of the vendor's release infrastructure rather than the plugins themselves.

Check
Check whether your WordPress sites run ShapedPlugin's Product Slider Pro, Real Testimonials Pro, or Smart Post Show Pro, and look for unfamiliar plugins impersonating WooCommerce components and new admin or file-write activity.
Affected
WordPress sites that updated the paid plugins Product Slider Pro (before 3.5.4), Real Testimonials Pro 3.2.5, or Smart Post Show Pro (before 4.0.2) between May 21 and the fix (tracked as CVE-2026-10735).
Fix
Update the affected ShapedPlugin products to fixed versions, remove any rogue WooCommerce-impersonating plugin, rotate all site and admin credentials, and scan the site for web shells and unauthorized file changes.

Malicious JetBrains plugins steal developers' AI API keys on entry

Aikido Security uncovered a coordinated campaign of at least 15 malicious plugins on the JetBrains Marketplace that pose as AI coding assistants but secretly steal the AI provider API keys developers enter. The plugins offer real features like chat, code review, and commit messages, so they work as advertised, but the moment a user pastes in an OpenAI, DeepSeek, or SiliconFlow key and clicks Apply, the key is silently sent to an attacker server over plain HTTP, with no prompt. The campaign has run since late October 2025, with new plugins as recent as June 10, and uses inflated downloads and fake reviews. Separately, malicious Chrome extensions were found capturing chatbot conversations.

Check
Review which JetBrains IDE plugins and browser extensions developers have installed, especially AI-assistant tools, and check whether any AI provider API keys were entered into third-party plugins rather than official integrations.
Affected
Developers who installed the malicious JetBrains AI-assistant plugins and entered OpenAI, DeepSeek, or SiliconFlow API keys; users of malicious Chrome extensions that harvest chatbot conversations are also exposed.
Fix
Remove untrusted AI plugins and extensions, rotate any AI provider API keys that were entered into them, restrict key permissions and spend limits, and source AI tooling only from vetted, official publishers.

144 Mastra AI-framework npm packages backdoored via hijacked account

Attackers hijacked the npm account of a former contributor to Mastra, a popular open-source framework for building AI applications, and in an 88-minute automated burst republished 144 packages under the @mastra scope with a hidden malicious dependency. The poisoned dependency, a fake clone of a date library, runs at install time: it disables TLS checks, downloads a second-stage cryptocurrency-stealing trojan, runs it as a detached process, and deletes itself. Because @mastra/core alone sees over 900,000 weekly downloads and the payload fires on install, anyone who installed an affected version since June 16 could be compromised before importing anything. npm has pulled the malicious versions.

Check
Check whether any developer machine, CI runner, or build system installed an @mastra package on or after June 16, and scan for the malicious easy-day-js dependency and install-time persistence artifacts.
Affected
Developers and pipelines that installed any @mastra package (including @mastra/core) on or after June 16, 2026; the malicious easy-day-js dependency ran code automatically at install time.
Fix
Roll affected packages back to pre-incident versions, treat affected hosts as compromised, rotate all credentials, tokens, and AI keys, move any crypto wallet funds from a clean device, and require signed-package installs.

WordPress plugin supply-chain attack backdoors sites via Awesome Motive CDN

Attackers compromised the content-delivery network of Awesome Motive, one of the biggest WordPress plugin makers, and injected malicious JavaScript into files served for OptinMonster, TrustPulse, and PushEngage, plugins running on more than 1.2 million sites. Discovered by Sansec, the code only triggered when a logged-in WordPress administrator viewed an affected site, at which point it stole authentication tokens, created a hidden rogue admin account, and installed a self-concealing backdoor plugin that exposed a web shell. The bad files were served on June 12 to 14. Awesome Motive says attackers stole a CDN API key after breaching its marketing site, and has since rotated credentials.

Check
If your site runs OptinMonster, TrustPulse, or PushEngage, check for rogue admin accounts like developer_api1 or dev_xxxxxx and inspect wp-content/plugins for hidden backdoor plugins.
Affected
WordPress sites running OptinMonster, TrustPulse, or PushEngage where an administrator was logged in during the June 12 to 14 injection window; other Awesome Motive plugins should be treated cautiously.
Fix
Remove rogue admin accounts and backdoor plugins, then rotate administrator passwords, API keys, database credentials, and WordPress security salts. Update affected plugins and scan the site for further tampering.

North Korean hackers poison npm packages to hit developers and steal crypto

The North Korean campaign known as Contagious Interview is still expanding its assault on software developers, now leaning on poisoned developer tools and fake job offers. Researchers at Proofpoint and Expel describe obfuscated malicious npm packages, published from throwaway accounts, that install the OtterCookie infostealer through a post-install script, alongside recruitment and code-review phishing lures. The group is using generative AI to build its malware loaders and to set up fake companies and LinkedIn profiles for social engineering. Expel says the operation stole $12 million in cryptocurrency in the first three months of 2026, draining more than 26,000 wallets from over 2,700 infected developer machines.

Check
Audit developer machines and CI pipelines for recently installed npm packages with post-install scripts from unfamiliar publishers, and review whether staff engaged with unsolicited recruiters or take-home coding tests.
Affected
Software developers, especially in cryptocurrency, Web3, and blockchain, targeted through malicious npm packages and fake job interviews; their machines, wallets, and source code are the goal.
Fix
Vet dependencies before installing, block install-time scripts in CI, isolate untrusted coding tests in disposable sandboxes, and train developers to treat unsolicited recruiter outreach and test assignments as suspect.

Over 400 Arch Linux AUR packages hijacked to drop stealer and rootkit

Attackers hijacked more than 400 packages in the Arch User Repository (AUR), the community add-on store for Arch Linux, in a supply-chain attack dubbed Atomic Arch. Rather than exploiting a flaw, they adopted abandoned packages and quietly edited the build recipe (PKGBUILD) to pull in a malicious npm package, atomic-lockfile, at install time. The payload is a Rust credential stealer that grabs browser logins, SSH keys, crypto wallets, and developer tokens; when run as root it also loads an eBPF rootkit that hides its processes, files, and network connections. Only the AUR is affected, not Arch's official repositories. The package names and histories looked completely normal.

Check
List AUR packages installed or updated since June 9 and diff their PKGBUILD and install scripts, flagging any that invoke npm, pip, or cargo for no clear reason.
Affected
Arch Linux and Arch-based systems where AUR packages were installed or updated on or after June 9 via helpers like yay or paru; root installs also expose an eBPF rootkit.
Fix
Remove affected packages and rotate all credentials, SSH keys, tokens, and wallets from the host. If a package ran as root, rebuild the machine; the rootkit makes in-place cleanup untrustworthy.