Threat Alerts

A supply-chain compromise in npm packages delivered malicious preinstall scripts that executed a secondary payload to harvest developer and CI/CD credentials, cloud keys, and Kubernetes configuration. The vector enables widespread credential exposure and downstream repository and package compromise.

Analysis shows the installer hook ran a loader (setup.mjs) that downloaded an external JavaScript runtime and launched a heavily obfuscated second-stage payload. The payload harvests npm and GitHub tokens, SSH keys, cloud provider secrets, Kubernetes configs, and attempts to read CI runner memory to capture ephemeral secrets. Stolen data is encrypted, staged via Git hosting APIs and specially crafted commits, and the malware attempts to use stolen credentials to compromise additional packages and repositories.

This campaign weaponizes trusted development and build tooling: routine dependency installs can run code with installer privileges, and the use of alternative runtimes and large obfuscated payloads complicates detection, increasing the potential for long-lived access and widespread compromise across development and CI infrastructure.

A newly disclosed Linux kernel vulnerability, CVE-2026-31431, also known as “Copy Fail”, introduces a high-severity privilege escalation risk affecting a wide range of modern Linux distributions. Originating from a kernel change introduced in 2017, the flaw impacts systems running kernels up to 2026, including major environments such as Ubuntu and RHEL. The issue stems from improper buffer handling in the algif_aead cryptographic module, allowing attackers with local access to manipulate the file page cache and inject malicious code into memory.

Exploitation enables attackers to modify executable files in memory without altering them on disk, effectively bypassing integrity checks. By targeting setuid binaries, attackers can execute arbitrary code with root privileges upon execution. The attack is particularly concerning due to its simplicity, relying on minimal code and legitimate system calls that are difficult to distinguish from normal behavior. In containerized environments, the vulnerability also raises the risk of container escape, potentially leading to full host compromise.

While the vulnerability requires local access, it can be leveraged in post-exploitation scenarios or by insiders.

A newly emerged ransomware group in early 2026 is rapidly gaining traction through a Ransomware-as-a-Service (RaaS) model combined with strategic partnerships that significantly expand its operational reach. Its alignment with a threat actor previously linked to supply chain compromises targeting widely used open-source security tools increases the overall risk profile, while an open affiliate program with minimal entry barriers enables rapid onboarding of operators. This combination of accessible infrastructure and external collaboration positions the group for accelerated growth in both attack volume and capability, making it a notable threat in the evolving ransomware ecosystem.

The operation provides affiliates with a centralized management panel to generate cross-platform payloads and manage active campaigns, supported by a tiered commission structure that incentivizes higher returns. Once deployed, the ransomware leverages multiple lateral movement techniques, including remote execution via WinRM, scheduled task creation and service-based propagation, often using hardcoded credentials embedded within the payload. Encryption is performed using the ChaCha20 algorithm across Windows, Linux and virtualized environments, including ESXi systems. The Linux and ESXi variants implement geo-fencing checks to avoid execution in specific regions, indicating deliberate targeting controls. Analysis of the malware reveals code and structural similarities to a previously active ransomware group, suggesting a potential lineage or shared development resources. This combination of modular tooling, cross-platform support and aggressive affiliate expansion underscores a scalable and evolving threat capable of widespread enterprise impact.

A newly discovered Python-based backdoor framework uses an obfuscated batch loader to deploy a persistent surveillance and credential-stealing implant on Windows systems. The threat carries significant risk, functioning as a fully featured Remote Access Trojan capable of long-term espionage, credential theft, lateral movement, and destructive operations — making it a serious concern for both enterprise and individual targets.

The infection begins with a batch script that disables Windows security controls, dynamically extracts an embedded Python payload, and establishes persistence through multiple mechanisms including Startup folder scripts, registry Run keys, scheduled tasks, and WMI subscriptions — all without relying on external payload downloads, as the implant is embedded directly inside the dropper. Before deploying the backdoor, the loader performs extensive defense evasion by systematically weakening host-based security controls, leveraging PowerShell to disable core Defender protections and ensure subsequent payload execution occurs with minimal visibility.

Once environment validation is complete, the implant initializes communication with attacker-controlled infrastructure through a resilient and stealthy command-and-control channel built on a public tunneling service rather than traditional dedicated servers. From there, operators can execute shell commands, upload and download files, harvest credentials from browsers, cloud services, and SSH keys, and initiate full surveillance including keylogging, screenshots, webcam access, microphone recording, and clipboard monitoring. This campaign reflects the continued evolution of threat actors toward fileless, script-driven intrusion frameworks that rely on native system components and interpreted languages, significantly reducing external dependencies and limiting traditional detection opportunities.

A newly identified macOS remote access trojan named MiniRAT has been observed in the wild, delivered through a malicious package on npm targeting developer environments. Written in Go, the malware is designed for stealth and persistence, combining anti-virtualization checks, encrypted command-and-control (C2) communication and native macOS persistence mechanisms. Its distribution via a developer-focused supply chain vector increases the risk of compromise across workstations, CI environments and connected infrastructure where elevated privileges and sensitive credentials are commonly present.

The infection begins with execution of the trojan, which immediately performs anti-analysis checks by inspecting system identifiers such as hostname, CPU details and hardware vendor information, terminating if a virtualized environment is detected. It establishes persistence by modifying shell configuration files and deploying a LaunchAgent to trigger execution at user login. The malware decrypts embedded AES-encrypted C2 configuration data and stores it locally, enabling dynamic infrastructure updates. Once connected, it profiles the host, enriches the data with geolocation details and transmits it to the attacker as part of an initial registration process. MiniRAT supports core backdoor capabilities including file exfiltration, arbitrary command execution and payload delivery, enabling follow-on attacks. Its structured design, premeditated development timeline and integration with supply chain distribution highlight a deliberate and evolving threat targeting macOS-based developer ecosystems.

Wireshark has released a major security update addressing dozens of vulnerabilities, including multiple flaws that can lead to arbitrary code execution. These issues increase the risk for environments using Wireshark for traffic inspection, forensics, and monitoring, especially where it is executed with elevated privileges. Exploitation could allow attackers to gain control over analyst systems or disrupt visibility into network activity, directly affecting detection and investigation processes.

The most critical weaknesses are found in several protocol parsing components, where malformed network packets or crafted capture files can trigger crashes with potential code execution, including CVE-2026-5402(CVSS Score 8.8), CVE-2026-5403(CVSS Score 7.8), CVE-2026-5405(CVSS Score 7.8), and CVE-2026-5656(CVSS Score 7.8). In a typical attack flow, an adversary positioned on the same network or delivering a malicious capture file introduces specially crafted input that is processed during packet analysis, leading to memory corruption and possible execution. Alongside these, a wide range of additional flaws impacts multiple protocol handlers, where malformed traffic results in application crashes, enabling denial-of-service conditions without requiring authentication or prior access.

Further vulnerabilities involve infinite loop conditions and resource exhaustion scenarios, where specific malformed inputs can cause Wireshark to hang and halt automated analysis pipelines. In addition, low-level issues in decompression routines, such as CVE-2026-6535(CVSS Score 5.5) and CVE-2026-6533(CVSS Score 5.5), extend the risk across any protocol using compressed data, broadening the exposure beyond individual protocol handlers.