Darktrace observed a recurring intrusion pattern in which ClickFix-style social engineering led macOS users into execution, followed by AppleScript or other native scripting and sustained outbound signaling. The use case is explicitly tied to activity Mic…
« Reports in 2026
414 reports
Sapphire Sleet compromised the `ehindero` npm maintainer account and injected the malicious `[email protected]` dependency into 144 Mastra AI npm packages during an 88-minute window on June 17, 2026. The postinstall hook executed an obfuscated JavaScrip…
A North Korea-linked Lazarus subgroup targeted financial institutions and cryptocurrency organizations with a multi-stage malware framework built around DPAPILoader, RemotePELoader, and the in-memory RemotePE RAT. The toolset uses Windows DPAPI for enviro…
Passive OSINT collection outside the DPRK embassy in London identified ordinary wireless infrastructure and endpoint signals rather than malicious activity. The observations suggest the site has used BT, Virgin Media, and previously TalkTalk connectivity,…
SentinelLABS analyzed macOS.Gaslight, a Rust-based macOS implant and infostealer assessed with high confidence as part of DPRK-aligned macOS activity. The malware uses Telegram Bot API polling for C2, AES-GCM encryption over certificate-pinned TLS, and ru…
Melted in Hex reverses PolinRider, a DPRK/Lazarus-attributed npm supply-chain loader hidden in the functional packages tailwind-color-shades and safe-validate. The loader executes on import, resolves encrypted stages through TRON, Aptos, and Binance Smart…
A developer reported obfuscated JavaScript hidden in `tailwind.config.js` and another backend file across three repositories, followed by unknown Node processes in local and production environments and Git commits made under the author's name. Sandbox ana…
Lazarus is presented as a North Korean state-backed umbrella of related teams that blends espionage, disruptive attacks, cryptocurrency theft, supply chain compromise, and IT-worker infiltration. The article highlights major attributed incidents including…
The Bybit theft used a compromised Safe{Wallet} developer workstation, stolen cloud session tokens, AWS reconnaissance, and malicious JavaScript injected into Safe{Wallet}'s frontend to manipulate a multi-signature transaction while displaying legitimate …
The episode examines the behavioral layer that makes DPRK-linked fake interview campaigns work before obvious malware execution. The source describes how recruiter messages, plausible companies, broken calls, shared repositories, browser prompts, login re…
A hijacked npm maintainer account republished more than 140 Mastra packages with one added dependency on the typosquatted `easy-day-js` package, leaving Mastra's own library code unchanged while moving malware one dependency hop away. The malicious `easy-…
A compromised dormant maintainer account republished more than 140 Mastra npm packages with a malicious dependency on `easy-day-js`, a clean-then-armed typosquat that installed a two-stage JavaScript backdoor. The payload stole browser history and data fr…
A DPRK-linked attacker compromised seven high-privilege Humanity Protocol keys stored on one director's laptop, giving them enough signatures to defeat both Ethereum and BSC Gnosis Safe thresholds. The attacker transferred ProxyAdmin ownership, upgraded t…
An attacker compromised the @mastra npm organization and republished more than 140 Mastra ecosystem packages with a dependency on the typosquatted `easy-day-js` package. The malicious `[email protected]` release used a postinstall dropper to disable TLS…
A compromised Mastra maintainer account was used to publish 116 malicious npm packages, mostly under the `@mastra/` namespace, with a postinstall script designed to exfiltrate credentials and remove itself. Mastra identified the attack the evening of June…