Attackers hijacked the npm account of a former contributor to Mastra, a popular open-source framework for building AI applications, and in an 88-minute automated burst republished 144 packages under the @mastra scope with a hidden malicious dependency. The poisoned dependency, a fake clone of a date library, runs at install time: it disables TLS checks, downloads a second-stage cryptocurrency-stealing trojan, runs it as a detached process, and deletes itself. Because @mastra/core alone sees over 900,000 weekly downloads and the payload fires on install, anyone who installed an affected version since June 16 could be compromised before importing anything. npm has pulled the malicious versions.
Symantec reports that DragonForce ransomware operators stayed hidden inside a major US services firm's network for up to two months by disguising their command-and-control traffic as ordinary Microsoft Teams activity. A new Go-based backdoor, Backdoor.Turn, grabs an anonymous Teams visitor token, routes through a legitimate Microsoft Teams relay server, and then tunnels to the attackers' real server, so defenders watching the network only see connections to genuine Microsoft infrastructure. It is the first known malware to abuse Teams relay servers this way. The attackers also used a custom malicious driver to disable defenses, and installed the backdoor after deploying ransomware, suggesting they kept access for a return visit or to resell.
ESET has found two previously unknown Windows versions of SprySOCKS, a backdoor until now seen only on Linux, attributed to the China-aligned espionage group FishMonger (also called Earth Lusca and linked to the i-Soon contractor). One variant loads two encrypted kernel drivers that hide the malware's processes, files, registry keys, and network connections, and divert command traffic through a random TCP port so the real listening port never shows. It keeps the Linux version's 30-plus commands and hardcoded command-and-control setup. ESET tied the activity to attacks in 2023 and 2024, mostly against government bodies in Honduras, Taiwan, Thailand, and Pakistan, with the group historically gaining entry through unpatched public-facing servers.
Zimperium's zLabs has documented Rokarolla, a new Android banking trojan that targets 217 banking and cryptocurrency apps and accepts 137 remote commands, giving an operator near-total control of an infected phone. It lifts lock-screen PINs, reads and sends text messages to grab one-time codes, rewrites the clipboard to redirect cryptocurrency payments, and disables Google Play Protect. It spreads through malicious websites posing as popular apps like TikTok and Chrome, starting with a dropper disguised as Google Play Protect that abuses Accessibility permissions. The actual theft uses fake login overlays placed on top of real banking apps, and surveillance relies on quiet Accessibility screenshots.
South Korea's Genians Security Center reports that the North Korean group ScarCruft (APT37) is sending spear-phishing emails dressed up as Microsoft Account security alerts to deliver a Python-based spy tool called NarwhalRAT. The emails warn of suspicious one-time-code activity and urge the recipient to open an attached advisory, which is actually a ZIP holding a malicious shortcut. Opening it kicks off a multi-stage, in-memory infection that leaves little on disk and gains persistence through a scheduled task. NarwhalRAT can log keystrokes, capture screenshots, record audio, and steal files from USB drives, and it disguises itself as the Korean browser Naver Whale while targeting South Korean users.
Attackers compromised the content-delivery network of Awesome Motive, one of the biggest WordPress plugin makers, and injected malicious JavaScript into files served for OptinMonster, TrustPulse, and PushEngage, plugins running on more than 1.2 million sites. Discovered by Sansec, the code only triggered when a logged-in WordPress administrator viewed an affected site, at which point it stole authentication tokens, created a hidden rogue admin account, and installed a self-concealing backdoor plugin that exposed a web shell. The bad files were served on June 12 to 14. Awesome Motive says attackers stole a CDN API key after breaching its marketing site, and has since rotated credentials.
Google's Threat Intelligence Group has detailed a China-linked espionage cluster, tracked as UNC6508, that lurked inside North American medical, academic, and military research networks for more than a year. The attackers got in by planting a backdoor on victims' REDCap research-data servers to steal login credentials. The clever part was exfiltration: instead of using malware to ship data out, they quietly rewrote victims' own Google Workspace mail rules to auto-forward any message matching their target keywords to an attacker-controlled inbox, blending in with normal email behavior. The campaign focused on stealing sensitive research and defense-related communications, and went undetected for an unusually long time.
The North Korean campaign known as Contagious Interview is still expanding its assault on software developers, now leaning on poisoned developer tools and fake job offers. Researchers at Proofpoint and Expel describe obfuscated malicious npm packages, published from throwaway accounts, that install the OtterCookie infostealer through a post-install script, alongside recruitment and code-review phishing lures. The group is using generative AI to build its malware loaders and to set up fake companies and LinkedIn profiles for social engineering. Expel says the operation stole $12 million in cryptocurrency in the first three months of 2026, draining more than 26,000 wallets from over 2,700 infected developer machines.
Researchers at Tenet Security have disclosed Agentjacking, a new attack that turns AI coding assistants like Claude Code, Cursor, and Codex into tools for running an attacker's code on a developer's machine. The trick abuses Sentry, a widely used error-tracking service: anyone can submit a fake error event using a project's DSN, a public write-only key embedded in website code, and the AI agent, fetching that event through Sentry's MCP integration, cannot tell the malicious instructions from real diagnostics and runs them with the developer's privileges. No phishing, malware, or server breach is needed, and it bypasses traditional controls because every step is technically authorized. Tenet found 2,388 exposed organizations.
Attackers hijacked more than 400 packages in the Arch User Repository (AUR), the community add-on store for Arch Linux, in a supply-chain attack dubbed Atomic Arch. Rather than exploiting a flaw, they adopted abandoned packages and quietly edited the build recipe (PKGBUILD) to pull in a malicious npm package, atomic-lockfile, at install time. The payload is a Rust credential stealer that grabs browser logins, SSH keys, crypto wallets, and developer tokens; when run as root it also loads an eBPF rootkit that hides its processes, files, and network connections. Only the AUR is affected, not Arch's official repositories. The package names and histories looked completely normal.