Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7

144 Mastra AI-framework npm packages backdoored via hijacked account

Attackers hijacked the npm account of a former contributor to Mastra, a popular open-source framework for building AI applications, and in an 88-minute automated burst republished 144 packages under the @mastra scope with a hidden malicious dependency. The poisoned dependency, a fake clone of a date library, runs at install time: it disables TLS checks, downloads a second-stage cryptocurrency-stealing trojan, runs it as a detached process, and deletes itself. Because @mastra/core alone sees over 900,000 weekly downloads and the payload fires on install, anyone who installed an affected version since June 16 could be compromised before importing anything. npm has pulled the malicious versions.

Check
Check whether any developer machine, CI runner, or build system installed an @mastra package on or after June 16, and scan for the malicious easy-day-js dependency and install-time persistence artifacts.
Affected
Developers and pipelines that installed any @mastra package (including @mastra/core) on or after June 16, 2026; the malicious easy-day-js dependency ran code automatically at install time.
Fix
Roll affected packages back to pre-incident versions, treat affected hosts as compromised, rotate all credentials, tokens, and AI keys, move any crypto wallet funds from a clean device, and require signed-package installs.

DragonForce ransomware hid command traffic inside Microsoft Teams for months

Symantec reports that DragonForce ransomware operators stayed hidden inside a major US services firm's network for up to two months by disguising their command-and-control traffic as ordinary Microsoft Teams activity. A new Go-based backdoor, Backdoor.Turn, grabs an anonymous Teams visitor token, routes through a legitimate Microsoft Teams relay server, and then tunnels to the attackers' real server, so defenders watching the network only see connections to genuine Microsoft infrastructure. It is the first known malware to abuse Teams relay servers this way. The attackers also used a custom malicious driver to disable defenses, and installed the backdoor after deploying ransomware, suggesting they kept access for a return visit or to resell.

Check
Hunt for anomalous QUIC and Teams-relay traffic and unexpected processes making Teams connections, and review hosts for suspicious drivers, new accounts, and weakened password or firewall settings.
Affected
Organizations targeted by DragonForce; because the backdoor blends into legitimate Microsoft Teams traffic, network monitoring alone may miss it, leaving internet-facing database servers and weak segmentation as entry points.
Fix
Patch internet-facing SQL and other servers, enforce least privilege and driver-signing controls, monitor for Teams-relay abuse and BYOVD activity, and maintain tested offline backups and network segmentation to limit ransomware impact.

China-linked SprySOCKS backdoor jumps to Windows with kernel-level stealth

ESET has found two previously unknown Windows versions of SprySOCKS, a backdoor until now seen only on Linux, attributed to the China-aligned espionage group FishMonger (also called Earth Lusca and linked to the i-Soon contractor). One variant loads two encrypted kernel drivers that hide the malware's processes, files, registry keys, and network connections, and divert command traffic through a random TCP port so the real listening port never shows. It keeps the Linux version's 30-plus commands and hardcoded command-and-control setup. ESET tied the activity to attacks in 2023 and 2024, mostly against government bodies in Honduras, Taiwan, Thailand, and Pakistan, with the group historically gaining entry through unpatched public-facing servers.

Check
On Windows servers, watch for unexpected kernel drivers and scheduled tasks tied to DLL side-loading, and patch internet-facing Fortinet, Exchange, GitLab, Telerik, and Zimbra systems this group abuses.
Affected
Windows environments at espionage-relevant targets, particularly government organizations; the group gains initial access through unpatched public-facing servers, then uses kernel drivers to stay hidden from defenders' tools.
Fix
Patch and harden internet-facing services, enable driver-signing enforcement and kernel-level monitoring, hunt for the known driver and loader components, and isolate and rebuild any host showing signs of kernel-level tampering.

Rokarolla Android trojan hits 217 banking and crypto apps with full device control

Zimperium's zLabs has documented Rokarolla, a new Android banking trojan that targets 217 banking and cryptocurrency apps and accepts 137 remote commands, giving an operator near-total control of an infected phone. It lifts lock-screen PINs, reads and sends text messages to grab one-time codes, rewrites the clipboard to redirect cryptocurrency payments, and disables Google Play Protect. It spreads through malicious websites posing as popular apps like TikTok and Chrome, starting with a dropper disguised as Google Play Protect that abuses Accessibility permissions. The actual theft uses fake login overlays placed on top of real banking apps, and surveillance relies on quiet Accessibility screenshots.

Check
Ensure mobile users install apps only from official stores, keep Google Play Protect on, and treat any app requesting Accessibility access, especially a fake Play Protect prompt, as suspicious.
Affected
Android users who side-load apps from links or sites impersonating TikTok, Chrome, or other popular apps; customers of the 217 targeted banking and cryptocurrency apps are the financial target.
Fix
There is no patch since this is malware. Install only from official app stores, keep Play Protect enabled, deny Accessibility access to untrusted apps, and use mobile threat defense on managed devices.

North Korea's ScarCruft uses fake Microsoft alerts to plant NarwhalRAT spyware

South Korea's Genians Security Center reports that the North Korean group ScarCruft (APT37) is sending spear-phishing emails dressed up as Microsoft Account security alerts to deliver a Python-based spy tool called NarwhalRAT. The emails warn of suspicious one-time-code activity and urge the recipient to open an attached advisory, which is actually a ZIP holding a malicious shortcut. Opening it kicks off a multi-stage, in-memory infection that leaves little on disk and gains persistence through a scheduled task. NarwhalRAT can log keystrokes, capture screenshots, record audio, and steal files from USB drives, and it disguises itself as the Korean browser Naver Whale while targeting South Korean users.

Check
Train staff to treat unexpected Microsoft account-security or OTP-alert emails with caution, verify the real sender domain, and never open attached archives or shortcut files from such messages.
Affected
Targets of North Korean espionage, with this campaign focused on South Korean users; victims are lured by fake Microsoft account-security emails carrying a ZIP with a malicious shortcut file.
Fix
Block or quarantine inbound archives containing shortcut files, enforce phishing-resistant MFA so OTP-themed lures lose value, and alert on scheduled tasks that launch scripts fetching payloads into memory.

WordPress plugin supply-chain attack backdoors sites via Awesome Motive CDN

Attackers compromised the content-delivery network of Awesome Motive, one of the biggest WordPress plugin makers, and injected malicious JavaScript into files served for OptinMonster, TrustPulse, and PushEngage, plugins running on more than 1.2 million sites. Discovered by Sansec, the code only triggered when a logged-in WordPress administrator viewed an affected site, at which point it stole authentication tokens, created a hidden rogue admin account, and installed a self-concealing backdoor plugin that exposed a web shell. The bad files were served on June 12 to 14. Awesome Motive says attackers stole a CDN API key after breaching its marketing site, and has since rotated credentials.

Check
If your site runs OptinMonster, TrustPulse, or PushEngage, check for rogue admin accounts like developer_api1 or dev_xxxxxx and inspect wp-content/plugins for hidden backdoor plugins.
Affected
WordPress sites running OptinMonster, TrustPulse, or PushEngage where an administrator was logged in during the June 12 to 14 injection window; other Awesome Motive plugins should be treated cautiously.
Fix
Remove rogue admin accounts and backdoor plugins, then rotate administrator passwords, API keys, database credentials, and WordPress security salts. Update affected plugins and scan the site for further tampering.

China-linked group hid in research networks, stealing email via Workspace rules

Google's Threat Intelligence Group has detailed a China-linked espionage cluster, tracked as UNC6508, that lurked inside North American medical, academic, and military research networks for more than a year. The attackers got in by planting a backdoor on victims' REDCap research-data servers to steal login credentials. The clever part was exfiltration: instead of using malware to ship data out, they quietly rewrote victims' own Google Workspace mail rules to auto-forward any message matching their target keywords to an attacker-controlled inbox, blending in with normal email behavior. The campaign focused on stealing sensitive research and defense-related communications, and went undetected for an unusually long time.

Check
Audit Google Workspace mail forwarding and filter rules for unauthorized auto-forwarding to external addresses, and review REDCap and other research servers for unexpected accounts, credential theft, or backdoor activity.
Affected
Medical, academic, and defense research organizations running REDCap servers and Google Workspace; long-dwell, low-noise espionage groups target their sensitive research and defense communications.
Fix
Remove malicious mail rules, reset exposed credentials, and enforce phishing-resistant MFA. Patch and monitor REDCap servers, restrict who can create auto-forwarding rules, and alert on new external forwarding.

North Korean hackers poison npm packages to hit developers and steal crypto

The North Korean campaign known as Contagious Interview is still expanding its assault on software developers, now leaning on poisoned developer tools and fake job offers. Researchers at Proofpoint and Expel describe obfuscated malicious npm packages, published from throwaway accounts, that install the OtterCookie infostealer through a post-install script, alongside recruitment and code-review phishing lures. The group is using generative AI to build its malware loaders and to set up fake companies and LinkedIn profiles for social engineering. Expel says the operation stole $12 million in cryptocurrency in the first three months of 2026, draining more than 26,000 wallets from over 2,700 infected developer machines.

Check
Audit developer machines and CI pipelines for recently installed npm packages with post-install scripts from unfamiliar publishers, and review whether staff engaged with unsolicited recruiters or take-home coding tests.
Affected
Software developers, especially in cryptocurrency, Web3, and blockchain, targeted through malicious npm packages and fake job interviews; their machines, wallets, and source code are the goal.
Fix
Vet dependencies before installing, block install-time scripts in CI, isolate untrusted coding tests in disposable sandboxes, and train developers to treat unsolicited recruiter outreach and test assignments as suspect.

Agentjacking hijacks AI coding agents via fake Sentry error reports

Researchers at Tenet Security have disclosed Agentjacking, a new attack that turns AI coding assistants like Claude Code, Cursor, and Codex into tools for running an attacker's code on a developer's machine. The trick abuses Sentry, a widely used error-tracking service: anyone can submit a fake error event using a project's DSN, a public write-only key embedded in website code, and the AI agent, fetching that event through Sentry's MCP integration, cannot tell the malicious instructions from real diagnostics and runs them with the developer's privileges. No phishing, malware, or server breach is needed, and it bypasses traditional controls because every step is technically authorized. Tenet found 2,388 exposed organizations.

Check
Inventory developers using AI coding agents connected to Sentry or other MCP integrations that surface external data, and check whether your Sentry DSNs are exposed in frontend code or repositories.
Affected
Development teams using MCP-connected AI coding agents (Claude Code, Cursor, Codex) alongside Sentry; any project whose public DSN lets attackers inject error events that the agent treats as trusted instructions.
Fix
Run AI coding agents with least privilege in sandboxes, require human approval before they execute commands, treat all MCP tool output as untrusted, and limit which integrations feed agents external data.

Over 400 Arch Linux AUR packages hijacked to drop stealer and rootkit

Attackers hijacked more than 400 packages in the Arch User Repository (AUR), the community add-on store for Arch Linux, in a supply-chain attack dubbed Atomic Arch. Rather than exploiting a flaw, they adopted abandoned packages and quietly edited the build recipe (PKGBUILD) to pull in a malicious npm package, atomic-lockfile, at install time. The payload is a Rust credential stealer that grabs browser logins, SSH keys, crypto wallets, and developer tokens; when run as root it also loads an eBPF rootkit that hides its processes, files, and network connections. Only the AUR is affected, not Arch's official repositories. The package names and histories looked completely normal.

Check
List AUR packages installed or updated since June 9 and diff their PKGBUILD and install scripts, flagging any that invoke npm, pip, or cargo for no clear reason.
Affected
Arch Linux and Arch-based systems where AUR packages were installed or updated on or after June 9 via helpers like yay or paru; root installs also expose an eBPF rootkit.
Fix
Remove affected packages and rotate all credentials, SSH keys, tokens, and wallets from the host. If a package ran as root, rebuild the machine; the rootkit makes in-place cleanup untrustworthy.