The episode focuses on OtterCookie, a second-stage malware family associated with DPRK-linked Contagious Interview activity. The source frames the real target as the developer workstation after code execution, including browser history, terminal residue, …
« Reports in 2026
416 reports
OpenSourceMalware found that npm and PyPI malicious package activity grew at similar rates from January through mid-May 2026, with PyPI growth partly driven by campaigns that published across both ecosystems. The DPRK-linked Contagious Interview campaign …
Sonatype attributes a malicious npm brandjacking campaign to Lazarus Group, involving dozens of packages that imitate or appear adjacent to trusted JavaScript ecosystems such as Buffer, Chai, and React. Analysis of `buffer-utilities` shows a dropper that …
Lazarus Group is described as a North Korean state-backed operation under the Reconnaissance General Bureau, functioning as a revenue-generating arm rather than an independent hacking collective. The excerpt says DPRK-linked actors have stolen an estimate…
Lazarus is assessed to have weaponized CVE-2025-55182, a React Server Components insecure deserialization flaw, in a Windows executable that scans target lists and attempts bulk exploitation for initial access. The intrusion chain pairs the exploit tool w…
EndPoint, formerly known as Midnight, is assessed as a Babuk-derived ransomware variant that targets Windows as well as ESXi and NAS environments and combines file encryption with data-theft extortion. The malware supports path and network-share scoped en…
The Kelp DAO exploiter reportedly laundered about $220 million of the $293 million stolen in the April 18 rsETH exploit, leaving only about $1.7 million traceable in the tagged wallet while $71 million remains frozen by Arbitrum’s Security Council. Onchai…
Infrastructure hunting from the Kimsuky-linked seed domain xpo.coupang.dns.navy expanded a single public indicator into a mapped cluster of 43 servers and 664 associated domains. The infrastructure showed repeated use of AS135377/UCloud Information Techno…
A malicious JavaScript loader was appended to `tailwind.js` in the Packagist dev version `dev-drewroberts/feature/test-case` of the legitimate PHP package `roberts/leads`. Socket assesses the activity as likely tied to Famous Chollima and consistent with …
North Korean-linked operators were tied to two major April 2026 DeFi thefts and a software supply-chain compromise. Drift Protocol lost about $280 million after attackers spent months posing as a legitimate trading firm, obtained pre-signed multisig appro…
Lazarus-linked operators are using a three-stage malware framework, DPAPILoader, RemotePELoader, and RemotePE, to maintain stealthy long-term access in financial and cryptocurrency environments. DPAPILoader decrypts victim-bound payloads with Windows DPAP…
JINX-0164 is reported as a North Korea-linked financially motivated cluster targeting cryptocurrency firms and developers through fake LinkedIn recruiter lures, spoofed meeting sites, and macOS malware. AUDIOFIX steals wallet extension data, desktop walle…
The episode shows how campaign infrastructure can be misclassified when analysts focus on a single observed role. A server first understood as an FTP exfiltration host was later tied to additional campaign-linked services. The source specifically connects…
Sapphire Sleet, also tracked as BlueNoroff and UNC1069, is targeting macOS users in venture capital, Web3, and cryptocurrency organizations through social engineering that delivers a fake Zoom SDK update. The infection chain uses Script Editor, `osascript…
A malicious npm package, js-logger-pack, evolved from a probe into a dropper for MicrosoftSystem64, a cross-platform Node.js Single Executable Application that functions as an infostealer and RAT. The payload targets browser credentials, more than 80 cryp…