Researchers at Cyera have disclosed six vulnerabilities, collectively named Proto6, in protobuf.js, a JavaScript and TypeScript library for Google's Protocol Buffers data format that sees more than 50 million downloads a week. The flaws stem from the library trusting schema and metadata by default, so a single malicious schema or crafted payload can crash a service, inject code, or lead to remote code execution. Cyera demonstrated real attacks including poisoning CI/CD pipelines to leak build secrets and crashing WhatsApp automation bots. Because protobuf.js is embedded across cloud services, AI platforms, and build systems, the reach is broad. Fixed versions are 7.5.6 and 8.0.2.
The ongoing Shai-Hulud supply-chain campaign has struck again, this time trojanizing 19 Python packages on PyPI, many of them popular bioinformatics tools like Dynamo, Spateo, CoolBox, and Napari-UFISH that have been downloaded hundreds of thousands of times. Discovered by Socket, the wave pushed 37 malicious package versions from what looks like a single compromised maintainer, each carrying code that steals developer secrets such as cloud keys and tokens, then uses them to spread further. PyPI has quarantined affected releases. The credential-stealing behavior and tactics match earlier Shai-Hulud activity tied to the group TeamPCP, whose worm code leaked publicly last month.
The self-spreading Miasma worm, a variant of the Shai-Hulud malware linked to the group TeamPCP, has reached Microsoft's own code. Using a stolen access token, attackers pushed a malicious commit into the Azure durabletask repository, and GitHub disabled 73 repositories across four Microsoft organizations including Azure and MicrosoftDocs. The twist: the planted code runs automatically when a developer opens the project in an AI coding assistant like Claude Code, Cursor, Gemini CLI, or VS Code, then harvests cloud and developer credentials and uses them to infect more projects. It hides the trigger inside a build file (binding.gyp) that most security tools ignore.
Toshiba and Muji have warned website visitors that suspicious sign-in screens appearing on their sites could harvest credentials, advising anyone who entered login data to change their passwords. The pop-ups were generated by the external polyfill[.]io service, which injected malicious code via its CDN after the domain was bought by a Chinese entity in 2024 - an incident that affected more than 100,000 websites. Japanese outlets report Zojirushi, FiNC Technologies, Ishiyaku Publishers, and Hobonichi were also hit, and a researcher observed Samsung Smart TVs and sites showing the prompt on June 1. Polyfill is a JavaScript compatibility CDN for legacy browsers; affected sites should remove all polyfill[.]io references immediately.
JFrog has documented IronWorm, a new npm supply-chain worm that has infected 36 packages with an infostealer targeting 86 environment variables and 20 credential files - including OpenAI, AWS, Anthropic, and npm credentials, Vault configs, SSH keys, and Exodus wallet files. Written in Rust, it hides behind an eBPF kernel rootkit and communicates over Tor. It self-propagates using stolen npm Trusted Publishing secrets to trojanize the victim's own packages. JFrog found the same commit names as Shai-Hulud (commit author 'claude,' timestamps faked up to 13 years old) and suspects an evolution of TeamPCP's payload. Notably, it exfiltrates secrets by uploading them as innocuous-looking GitHub Actions build artifacts, avoiding external C2.
The Windows version of the Chromium-based Hola Browser has been compromised in a supply-chain attack that delivered an undeclared cryptocurrency miner. The compromise was caught during AppEsteem certification checks, with Sophos and others finding an uncertified, unsigned, obfuscated executable, me.exe, under C:\Program Files\Hola\. Analysis identified it as a Monero miner: it adds a Windows Defender exclusion, copies itself to Program Files as HolaMonitorService.exe, creates an auto-starting service named hola_monitor_svc, and runs when the machine is idle. Hola - the Israeli company behind Hola VPN, long controversial for turning free users into proxies - confirmed the compromise (independently detected by Sygnia) but says only about 0.1% of users were affected.
More than 30 npm packages under Red Hat's @redhat-cloud-services namespace were backdoored in a supply-chain attack distributing a new Shai-Hulud variant dubbed 'Miasma.' Aikido and OX Security found dozens of package versions laced with malware that steals developer credentials, cloud secrets, SSH keys, and CI/CD tokens. Aikido says the compromised packages pull roughly 117,000 weekly downloads. Red Hat told BleepingComputer it removed the affected packages after becoming aware of the incident and that the compromise was limited to internal development tooling, with no impact on production products or services. The Miasma variant continues the self-propagating worm behavior that made the original Shai-Hulud campaign so disruptive.
Aikido Security has disclosed that codexui-android, an npm package advertised as a remote web UI for OpenAI Codex with over 29,000 weekly downloads, has been silently exfiltrating users' Codex authentication tokens for the past month. Unlike a typosquat, the malware was embedded into a functional, actively-developed package roughly a month after publication to build trust; the GitHub repo stayed clean. The code reads ~/.codex/auth.json and ships the access_token, refresh_token, id_token, and account ID to sentry.anyclaw[.]store, a server masquerading as Sentry. The non-expiring refresh_token lets an attacker silently impersonate the developer indefinitely with full Codex account access. The package remains available; the npm account is 'friuns.'
Socket has flagged a malicious NuGet package, Sicoob.Sdk (versions 2.0.0-2.0.4), that masquerades as a C# SDK for Sicoob, one of Brazil's largest cooperative financial systems, and steals PFX certificates used to authenticate businesses with Sicoob's banking APIs. When a developer instantiates SicoobClient, the package reads the PFX file from disk, Base64-encodes it, and exfiltrates the client ID, PFX password, and encoded certificate to a hardcoded third-party Sentry endpoint. It also captures raw Boleto API responses. The package was downloaded ~500 times and the publisher has 11 other NuGet packages with ~6,000 combined downloads. Google Search AI Mode reportedly amplified the package as legitimate.
CrowdStrike, Google, and The Shadowserver Foundation have disrupted the GlassWorm developer-supply-chain botnet by simultaneously cutting four resilient command-and-control channels. Active since October 2025, GlassWorm spread through malicious OpenVSX and VS Code extensions, GitHub repos, and npm packages (one March campaign hit 400+ artifacts), stealing crypto wallets and developer credentials. Its C2 was built to resist takedown: server addresses encoded in Solana transaction memo fields, configuration stored in the BitTorrent DHT, Base64 C2 paths hidden in Google Calendar event titles, and direct VPS connections for payload delivery. All four had to fall at once. Infected hosts now beacon to CrowdStrike's sinkhole at 164.92.88[.]210.