Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: supply-chain (85 articles)Clear

Six protobuf.js flaws let malicious schemas run code in Node.js apps

Researchers at Cyera have disclosed six vulnerabilities, collectively named Proto6, in protobuf.js, a JavaScript and TypeScript library for Google's Protocol Buffers data format that sees more than 50 million downloads a week. The flaws stem from the library trusting schema and metadata by default, so a single malicious schema or crafted payload can crash a service, inject code, or lead to remote code execution. Cyera demonstrated real attacks including poisoning CI/CD pipelines to leak build secrets and crashing WhatsApp automation bots. Because protobuf.js is embedded across cloud services, AI platforms, and build systems, the reach is broad. Fixed versions are 7.5.6 and 8.0.2.

Check
Inventory applications and pipelines that depend on protobuf.js directly or transitively, and identify any that deserialize Protobuf data or generate code from schemas supplied by untrusted sources.
Affected
Node.js applications, cloud client libraries, CI/CD pipelines, and messaging frameworks using protobuf.js before 7.5.6 or 8.0.2 (CVEs include CVE-2026-44289, CVE-2026-44295) that process untrusted schemas.
Fix
Upgrade protobuf.js to 7.5.6 or 8.0.2 and protobufjs-cli to 1.2.1 or 2.0.2, and treat incoming schemas and descriptors as untrusted input rather than safe data.

New Shai-Hulud wave poisons 19 scientific Python packages on PyPI

The ongoing Shai-Hulud supply-chain campaign has struck again, this time trojanizing 19 Python packages on PyPI, many of them popular bioinformatics tools like Dynamo, Spateo, CoolBox, and Napari-UFISH that have been downloaded hundreds of thousands of times. Discovered by Socket, the wave pushed 37 malicious package versions from what looks like a single compromised maintainer, each carrying code that steals developer secrets such as cloud keys and tokens, then uses them to spread further. PyPI has quarantined affected releases. The credential-stealing behavior and tactics match earlier Shai-Hulud activity tied to the group TeamPCP, whose worm code leaked publicly last month.

Check
Search Python environments, lock files, and CI build logs for the 19 affected packages (including Dynamo, Spateo, CoolBox, U-FISH, Napari-UFISH) installed during the malicious window.
Affected
Developers and research teams that installed the trojanized versions of the 19 PyPI scientific packages, especially bioinformatics workflows pulling Dynamo, Spateo, CoolBox, U-FISH, or Napari-UFISH.
Fix
Remove the malicious versions and pin to known-good releases, then rotate every developer, cloud, and CI credential exposed on machines that installed them. Rebuild from trusted sources.

Miasma worm hits 73 Microsoft GitHub repos, targets AI coding tools

The self-spreading Miasma worm, a variant of the Shai-Hulud malware linked to the group TeamPCP, has reached Microsoft's own code. Using a stolen access token, attackers pushed a malicious commit into the Azure durabletask repository, and GitHub disabled 73 repositories across four Microsoft organizations including Azure and MicrosoftDocs. The twist: the planted code runs automatically when a developer opens the project in an AI coding assistant like Claude Code, Cursor, Gemini CLI, or VS Code, then harvests cloud and developer credentials and uses them to infect more projects. It hides the trigger inside a build file (binding.gyp) that most security tools ignore.

Check
Search your GitHub orgs for commits, public repos, or build files matching Miasma naming patterns, and review AI coding agent configs (binding.gyp, agent rules) for unexpected auto-run payloads.
Affected
Organizations using npm, PyPI, or GitHub alongside AI coding assistants (Claude Code, Cursor, Gemini CLI, VS Code). Stolen maintainer tokens enable backdoored package and repo publishing.
Fix
Rotate GitHub, npm, and cloud credentials exposed to affected projects. Remove malicious commits and configs, enforce 2FA and short-lived tokens, and block install-time scripts in CI.

Polyfill.io resurfaces, injecting fake login prompts on Toshiba and Muji sites

Toshiba and Muji have warned website visitors that suspicious sign-in screens appearing on their sites could harvest credentials, advising anyone who entered login data to change their passwords. The pop-ups were generated by the external polyfill[.]io service, which injected malicious code via its CDN after the domain was bought by a Chinese entity in 2024 - an incident that affected more than 100,000 websites. Japanese outlets report Zojirushi, FiNC Technologies, Ishiyaku Publishers, and Hobonichi were also hit, and a researcher observed Samsung Smart TVs and sites showing the prompt on June 1. Polyfill is a JavaScript compatibility CDN for legacy browsers; affected sites should remove all polyfill[.]io references immediately.

Check
Grep your web properties and third-party tags for any references to polyfill[.]io (scripts, CDN links, GTM containers). Check Samsung/IoT and legacy-browser-support code paths. Review recent customer credential-reset reports.
Affected
Any website still loading scripts from polyfill[.]io - the CDN compromised in 2024 and now serving credential-harvesting login prompts. Toshiba, Muji, Samsung Smart TVs, and several Japanese brands were hit.
Fix
Remove all polyfill[.]io references immediately and replace with a trusted fork (e.g. Cloudflare or Fastly mirrors). Force-reset credentials for any users who may have entered them into injected prompts.

IronWorm Rust npm worm hits 36 packages, steals Anthropic/OpenAI/AWS credentials via eBPF rootkit and Tor; GitHub Actions used for exfil

JFrog has documented IronWorm, a new npm supply-chain worm that has infected 36 packages with an infostealer targeting 86 environment variables and 20 credential files - including OpenAI, AWS, Anthropic, and npm credentials, Vault configs, SSH keys, and Exodus wallet files. Written in Rust, it hides behind an eBPF kernel rootkit and communicates over Tor. It self-propagates using stolen npm Trusted Publishing secrets to trojanize the victim's own packages. JFrog found the same commit names as Shai-Hulud (commit author 'claude,' timestamps faked up to 13 years old) and suspects an evolution of TeamPCP's payload. Notably, it exfiltrates secrets by uploading them as innocuous-looking GitHub Actions build artifacts, avoiding external C2.

Check
Audit npm dependencies and CI for the 36 IronWorm-affected packages and preinstall scripts dropping Rust ELF binaries. Search build artifacts for disguised secret files. Rotate npm, AWS, OpenAI, Anthropic credentials.
Affected
Developers and CI systems that installed IronWorm-trojanized npm packages. It steals OpenAI/AWS/Anthropic/npm credentials, Vault configs, SSH keys, and wallets, then self-propagates via stolen Trusted Publishing secrets.
Fix
Remove affected packages, pin via lockfile, and rotate every credential reachable from affected hosts. Hunt for eBPF rootkit artifacts and Tor traffic. Review GitHub Actions build artifacts for exfiltrated secrets.

Hola Browser for Windows compromised in supply-chain attack delivering undeclared Monero miner disguised as HolaMonitorService.exe

The Windows version of the Chromium-based Hola Browser has been compromised in a supply-chain attack that delivered an undeclared cryptocurrency miner. The compromise was caught during AppEsteem certification checks, with Sophos and others finding an uncertified, unsigned, obfuscated executable, me.exe, under C:\Program Files\Hola\. Analysis identified it as a Monero miner: it adds a Windows Defender exclusion, copies itself to Program Files as HolaMonitorService.exe, creates an auto-starting service named hola_monitor_svc, and runs when the machine is idle. Hola - the Israeli company behind Hola VPN, long controversial for turning free users into proxies - confirmed the compromise (independently detected by Sygnia) but says only about 0.1% of users were affected.

Check
Inventory Windows endpoints for Hola Browser installs. Check for me.exe or HolaMonitorService.exe under C:\Program Files\Hola\, the hola_monitor_svc service, and Defender exclusion rules. Hunt for Monero-miner traffic.
Affected
Windows users who installed or updated Hola Browser during the compromise window. The undeclared Monero miner adds a Defender exclusion, persists as a service, and runs when idle.
Fix
Remove Hola Browser and the me.exe / HolaMonitorService.exe miner, delete the hola_monitor_svc service, and remove the malicious Defender exclusion. Block the mining pool and monitor for residual persistence.

Red Hat @redhat-cloud-services npm namespace compromised with 'Miasma' Shai-Hulud variant - 30+ packages, 117K weekly downloads, steals dev and cloud secrets

More than 30 npm packages under Red Hat's @redhat-cloud-services namespace were backdoored in a supply-chain attack distributing a new Shai-Hulud variant dubbed 'Miasma.' Aikido and OX Security found dozens of package versions laced with malware that steals developer credentials, cloud secrets, SSH keys, and CI/CD tokens. Aikido says the compromised packages pull roughly 117,000 weekly downloads. Red Hat told BleepingComputer it removed the affected packages after becoming aware of the incident and that the compromise was limited to internal development tooling, with no impact on production products or services. The Miasma variant continues the self-propagating worm behavior that made the original Shai-Hulud campaign so disruptive.

Check
Inventory projects pulling @redhat-cloud-services npm packages. Check package-lock.json for backdoored versions since the compromise. Rotate developer, cloud, SSH, and CI/CD credentials reachable from build hosts.
Affected
30+ @redhat-cloud-services npm packages (~117K weekly downloads) backdoored with the Miasma Shai-Hulud variant. Red Hat says impact is limited to internal development tooling, not production products.
Fix
Remove affected package versions and pin to known-clean releases via lockfile. Rotate all secrets reachable from affected developer and CI hosts. Apply Aikido and OX Security IoCs.

codexui-android npm steals OpenAI Codex auth tokens for a month - non-expiring refresh_token exfiltrated to fake Sentry endpoint

Aikido Security has disclosed that codexui-android, an npm package advertised as a remote web UI for OpenAI Codex with over 29,000 weekly downloads, has been silently exfiltrating users' Codex authentication tokens for the past month. Unlike a typosquat, the malware was embedded into a functional, actively-developed package roughly a month after publication to build trust; the GitHub repo stayed clean. The code reads ~/.codex/auth.json and ships the access_token, refresh_token, id_token, and account ID to sentry.anyclaw[.]store, a server masquerading as Sentry. The non-expiring refresh_token lets an attacker silently impersonate the developer indefinitely with full Codex account access. The package remains available; the npm account is 'friuns.'

Check
Inventory developer machines for the codexui-android npm package. If present, treat ~/.codex/auth.json as compromised. Search egress for traffic to sentry.anyclaw[.]store.
Affected
Developers who installed codexui-android (29K weekly downloads, still live). Stolen non-expiring Codex refresh_tokens give attackers persistent, silent impersonation of the victim's OpenAI Codex account.
Fix
Remove codexui-android. Revoke and re-issue OpenAI Codex sessions; the refresh_token does not expire, so rotation is mandatory. Pin dependencies and audit AI-tooling packages before install.

Malicious 'Sicoob.Sdk' NuGet steals Brazilian banking PFX certificates via hardcoded Sentry endpoint - amplified by Google Search AI Mode

Socket has flagged a malicious NuGet package, Sicoob.Sdk (versions 2.0.0-2.0.4), that masquerades as a C# SDK for Sicoob, one of Brazil's largest cooperative financial systems, and steals PFX certificates used to authenticate businesses with Sicoob's banking APIs. When a developer instantiates SicoobClient, the package reads the PFX file from disk, Base64-encodes it, and exfiltrates the client ID, PFX password, and encoded certificate to a hardcoded third-party Sentry endpoint. It also captures raw Boleto API responses. The package was downloaded ~500 times and the publisher has 11 other NuGet packages with ~6,000 combined downloads. Google Search AI Mode reportedly amplified the package as legitimate.

Check
Inventory C# projects for Sicoob.Sdk versions 2.0.0-2.0.4 and the publisher's 11 other packages. Search outbound traffic to the attacker Sentry endpoint identified in Socket's IoCs.
Affected
C# developers integrating with Sicoob banking APIs in Brazil. Any project that pulled Sicoob.Sdk via NuGet had PFX certificates, client IDs, and Boleto data harvested.
Fix
Remove all 12 affected NuGet packages and rotate every Sicoob PFX certificate and client credential reachable from affected hosts. Verify NuGet package signatures match expected GitHub source going forward.

CrowdStrike, Google, Shadowserver disrupt GlassWorm botnet by cutting four resilient C2 channels - Solana memos, BitTorrent DHT, Google Calendar, direct VPS

CrowdStrike, Google, and The Shadowserver Foundation have disrupted the GlassWorm developer-supply-chain botnet by simultaneously cutting four resilient command-and-control channels. Active since October 2025, GlassWorm spread through malicious OpenVSX and VS Code extensions, GitHub repos, and npm packages (one March campaign hit 400+ artifacts), stealing crypto wallets and developer credentials. Its C2 was built to resist takedown: server addresses encoded in Solana transaction memo fields, configuration stored in the BitTorrent DHT, Base64 C2 paths hidden in Google Calendar event titles, and direct VPS connections for payload delivery. All four had to fall at once. Infected hosts now beacon to CrowdStrike's sinkhole at 164.92.88[.]210.

Check
Run CrowdStrike's published YARA rules across developer workstations and build servers. Search network logs for beacons to 164.92.88[.]210 (CrowdStrike sinkhole) indicating prior GlassWorm infection.
Affected
Developers who installed malicious OpenVSX or VS Code extensions, or pulled compromised GitHub repos and npm packages since October 2025. 400+ artifacts hit in the March campaign alone.
Fix
Remediate any host beaconing to the sinkhole. Audit installed OpenVSX/VS Code extensions against known-bad lists. Rotate crypto wallets and developer credentials exposed on infected machines.