xi0

Microsoft is investigating a new, emerging Mini Shai-Hulud npm supply chain attack targeting antv packages. Attackers compromised an antv maintainer account and published malicious versions of multiple widely used packages (for example, antv/g2). As these packages are widely used as dependencies, the compromise propagated into downstream libraries like echarts-for-react, impacting a much broader set of applications and continuous integration (CI) environments. All compromised packages contain a byte-identical, obfuscated credential-stealing payload delivered via a preinstall hook (Bun). The malware targets high-value secrets including: - GitHub personal access tokens (PATs) and OpenID Connect (OIDC) tokens - npm / Amazon Web Service (AWS) credentials and Security Token Service (STS) sessions - Secure Shell (SSH) keys, kubeconfigs, and .env / .npmrc files - Software-as-a-service (SaaS) tokens (Slack, Stripe, Vault) Exfiltration occurs over HTTPS with Transport Layer Security (TLS) validation disabled. The payload also abuses stolen OIDC tokens to forge Supply-chain Levels for Software Artifacts (SLSA) provenance and propagate malicious releases, exhibiting worm-like behavior across repositories. Malicious files distributed through npm packages are detected by Microsoft Defender as Trojan:AIGen/NPMStealer , "Suspicious Node.js process behavior", or “Credential access attempt”, preventing credential theft and malicious post-install execution. Mitigation: - Audit dependencies for affected antv and related packages; pin or downgrade to known-good versions (pre-2025-05-18). - Revoke and rotate exposed credentials (GitHub, npm, cloud tokens, SSH keys). - Validate integrity of CI pipelines and recent build artifacts. - Network IOC: Stolen credentials are exfiltrated over HTTPS to t.m-kosche[.]com:443. Block at egress and review network logs for outbound connections.

🚨 Ransomware Alert 🚨 We started monitoring a new ransomware group named “Bavacai ”. They have listed 16 victims on their dark web portal. * Rayco Lighting 🇺🇸 * CEAGESP 🇧🇷 * COLEGIO MARÍA INMACULADA 🇨🇱 * Académie de Montpellier🇫🇷 * Palmers Relocations 🇦🇺 * ActionAid 🇹🇿 * CourtSmart Digital, Inc 🇺🇸 * Desert Christian Schools 🇺🇸 * SIT Group 🇮🇹 * Robusta Ltd 🇧🇬 * Atencio Engineering, Inc 🇺🇸 * Trimble Inc. 🇺🇸 * Magnolia Jewellery 🇮🇱 * Strategic Imports Pty Ltd 🇦🇺 * Bandeirante Supermercados 🇧🇷 * Elken Sdn Bhd 🇲🇾

Toronto Police launched Project Lighthouse in November, 2025 after police were tipped off about an unknown person(s) operating an SMS Blaster in downtown Toronto. Watch the video for an actual explanation. The fancy Detective lady gives a run down on what happened. tl;dr three chinese dudes some how built a custom made portable cell phone tower thingie in a van, drove around toronto with it. peoples cell phones automagically connected it to (its literally a cell phone tower thingie). when a cell phone connected to their portable cell tower thingie it would automatically send the connected phone a text which appeared to be from their bank or somewhere important. they interupted real cell phone towers 13m times lmfao. they were trying to steal passwords and stuff. no details released on how three random nerds managed to do this

Zscaler ThreatLabz has published a technical analysis on activity we believe to be orchestrated by Tropic Trooper, using military-themed lures and a trojanized SumatraPDF to deploy AdaptixC2 with a custom GitHub-based C2, then pivoting to Visual Studio Code tunnels for remote access. Read more: https://t.co/myj0VbDZYr