Threats

Threats

Google Attributes Axios npm Supply Chain Attack to North Korean UNC1069, Links Backdoor to WAVESHAPER Evolution

Google has formally attributed the Axios npm supply chain attack to UNC1069, a North Korean threat cluster tracked by Mandiant and Google's Threat Intelligence Group since 2018. The attribution, confirmed by GTIG chief analyst John Hultquist, links the compromise of the JavaScript ecosystem's most popular HTTP

Threats

Axios Supply Chain Attack Delivers Cross-Platform RAT to Millions After npm Maintainer Account Hijacked

A coordinated supply chain attack targeting the Axios npm package has delivered a cross-platform remote access trojan to developer workstations and CI/CD environments worldwide, after an attacker hijacked the lead maintainer's npm credentials and published two backdoored releases to the official registry. The attack, executed in the

Threats

Coruna iOS Exploit Kit Traced Back to Operation Triangulation Authors as Attacks Shift From Espionage to Mass Exploitation

Kaspersky's GReAT team has established a direct code-level link between the Coruna iOS exploit kit and Operation Triangulation, the sophisticated espionage campaign that targeted iOS devices in 2023. The connection goes beyond shared vulnerabilities — the kernel exploits in both toolchains were created by the same author using a

Threats

Payment Skimmer Abuses WebRTC Channels to Bypass CSP and Steal Card Data

Security researchers at Sansec have uncovered a payment skimmer that represents a significant technical evolution in how attackers steal card data from online stores. Instead of relying on conventional HTTP requests or image beacons to exfiltrate stolen information, the malware abuses WebRTC data channels — a technique that renders Content Security

Threats

Trivy Supply Chain Attack Escalates — TeamPCP Pushes Infostealers via Docker Hub, Deploys Kubernetes Wiper Targeting Iranian Systems

The supply chain compromise of Trivy, the widely used open-source vulnerability scanner maintained by Aqua Security, has escalated dramatically — with threat actor TeamPCP pushing malicious Docker images to Docker Hub, defacing Aqua Security's internal GitHub organization, distributing a self-propagating worm across dozens of npm packages, and deploying a

Threats

Storm-2561 Distributes Fake Enterprise VPN Clients From Cisco, Fortinet, and Ivanti via SEO Poisoning to Steal Corporate Credentials

Microsoft has disclosed a credential theft campaign by Storm-2561, a criminal group active since May 2025, that distributes fake enterprise VPN clients from major vendors through SEO poisoning — capturing corporate credentials before seamlessly redirecting victims to the real VPN download to erase any indication of compromise. The campaign, running since

Threats

BlackBasta-Linked Actors Deploy New A0Backdoor via Microsoft Teams Social Engineering With DNS MX-Based C2

Threat actors linked to the dissolved BlackBasta ransomware operation are targeting employees at financial and healthcare organizations through Microsoft Teams social engineering to deploy a previously undocumented backdoor called A0Backdoor that hides its command-and-control communications inside DNS MX record queries. The campaign, disclosed by BlueVoyant, has confirmed targets including a

Threats

ClickFix Evolves to Windows Terminal Execution, Bypassing Run Dialog Defenses to Deploy Lumma Stealer

Microsoft has warned of a new ClickFix variant observed in the wild since February that evades existing defenses by shifting the execution environment from the Windows Run dialog to Windows Terminal — blending malicious command execution into legitimate administrative workflows. This marks a significant evolution in the ClickFix technique, which ZDW

Threats

Dutch Intelligence Warns of Russian State Campaign Hijacking Signal and WhatsApp Accounts of Government Officials Worldwide

The Dutch intelligence services AIVD and military intelligence service MIVD have issued a joint advisory warning that Russian state hackers are conducting a large-scale campaign to hijack Signal and WhatsApp accounts belonging to senior government officials, military personnel, civil servants, and journalists worldwide. Dutch government employees have already been targeted

Threats

Chinese Threat Actor CL-UNK-1068 Targets Asian Critical Infrastructure Across Seven Sectors in Years-Long Espionage Campaign

Palo Alto Networks Unit 42 has disclosed a years-long espionage campaign by a previously undocumented Chinese threat group designated CL-UNK-1068 targeting high-value organizations across seven critical infrastructure sectors in South, Southeast, and East Asia. The campaign, assessed with moderate-to-high confidence as cyber espionage, targets aviation, energy, government, law enforcement, pharmaceutical,

Threats

Iranian Threat Actors Intensify IP Camera Exploitation Across Six Countries to Support Missile Operations and Battle Damage Assessment

Check Point Research has disclosed that multiple Iran-nexus threat actors have intensified exploitation of IP cameras across six countries in the Middle East and Eastern Mediterranean since the onset of hostilities — activity assessed to support battle damage assessment (BDA) and target correction for Iranian missile operations. The targeting, which spiked

Threats

APT41-Linked Silver Dragon Targets Governments Across Europe and Southeast Asia Using Google Drive C2 and Three Distinct Infection Chains

Check Point has disclosed a previously undocumented APT group dubbed Silver Dragon operating within the APT41 umbrella that has been targeting government entities across Europe and Southeast Asia since at least mid-2024 using three distinct infection chains, custom loaders, and a backdoor that uses Google Drive as its command-and-control infrastructure.