Microsoft Threat Intelligence is tracking reports of a suspected compromise of AsyncAPI's release pipeline, resulting in malicious packages published to the asyncapi npm namespace. Four packages (five versions) contain obfuscated malware. Combined, these packages see over 3 million downloads per week:
- asyncapi/[email protected]
- asyncapi/[email protected]
- asyncapi/[email protected]
- asyncapi/[email protected]
- asyncapi/[email protected]
The payload deploys a multi-stage RAT (characteristics overlapping publicly reported Miasma variants; attribution not confirmed) via hidden spawn, then downloads a second-stage payload from IPFS and persists as sync.js in user AppData.
Microsoft Defender for Endpoint customers should act on these alerts:
- Trojan:Script/Supychain.A
To mitigate the issue: Pin to known-good versions, use lockfiles, and rotate any secrets exposed to affected CI runners.
Again, a #Magecart attack abusing
@Google services.
A few Google Tag Manager chains load #magecart code stored on Firestore:
1. M7PNNCBK➡️P7V5927P
2. 56K2MMVS➡️5TMFSL2D
3. MWSL7TTD➡️KX7GNVK5
The stolen #payment data was exfiltrated to Firestore.
#PCIDSS#DataSecurity #FormJacking #infosec #ecommerce #eskimming
🚨 UPDATE: The Google-abusing #Magecart campaign we exposed in late 2024 https://t.co/3onXmIDs4q
Is now being used for #ClickFix attacks 👇
1️⃣ A WebSocket opens to metrics.brandiser.\net
2️⃣ Its incoming message runs & fires a fake request to https://t.co/6loESbbI5c[.]com
3️⃣ The reflected code calls consent.trandiqs.\com
4️⃣ The response serves the ClickFix attack
#ClientSideSecurity #infosec #malware #magecart
A malicious Chromium-based extension spoofed the AI-powered answer engine Perplexity AI to intercept browser search traffic and collect user input before redirecting users to expected search providers. https://t.co/moxI8DxhiQ
Microsoft Threat Intelligence has identified an active multi-stage intrusion campaign targeting hospitality organizations in Europe and Asia. The campaign uses photo-themed ZIP archives and fake image shortcut files to deliver a persistent Node.js implant and evade detection. https://t.co/VerutunRvb
Threat actors have continued to refine the campaign over time while maintaining the same core attack chain. Microsoft observed two distinct waves of activity, including changes to delivery mechanisms, infrastructure, and evasion techniques designed to help the operation persist and avoid detection.
For example, the second wave demonstrates the resilience of the campaign's dual-persistence model. In one observed case, malicious payloads were blocked, yet Node.js persistence remained active and later re-established command-and-control (C2) communications through new infrastructure.
Learn more about the campaign's evolution, phishing infrastructure, and persistence mechanisms, and review Microsoft Defender detections and recommendations to help organizations investigate and defend against this activity.
🚨💣 ÚLTIMA HORA - COMUNICADO DEL CLUB EN EL @diarioas.
“El Atlético llevará al Barcelona ante la justicia deportiva por la negociación con Julián Alvarez, un jugador con contrato hasta 2030 con los rojiblancos, para provocar el cambio del Metropolitano por el Camp Nou este verano”.
“En el pasado ya hemos visto la forma de funcionar del Barcelona”.
“Cuando el Atlético se estaba jugando la Champions frente a la Juve”.
“Prometiendo comisiones a su hermana (Griezmann) , a su familia y al propio jugador...”.
“No hay ninguna cantidad por la que el Barcelona pueda comprar a Julián, que no será transferido al Barcelona”. “O paga la cláusula (de 500 millones) o nada”.
“Todo el mundo sabe que es un club tramposo”.
“Se han topado con un club que no les va a reír la gracia”.
Brazilian malware campaign observed leveraging an HTA/VBScript loader using VBScript to stage payloads from larpers[.]eu into a random %TEMP% directory.
It downloads two files, renames them to p.exe and hda_config.dat, executes the PE silently, then opens a fake PDF as decoy:
Classic HTA + curl + temp payload execution chain.
larpers[.]eu/api/d/c66ae1c001c64d8a93574503077403cf/a?t=852c57eb7d0d9843c12c8eb344d12527/
Victims are lured to a fake digital artist portfolio ("Mya Artes"), complete with a convincing backstory, anime-themed design, and free artwork downloads. The advertised ZIP ultimately delivers an HTA loader that stages and executes the malware.
A good reminder that well-crafted fake websites remain highly effective infection vectors and AI is making it easier than ever for threat actors to build convincing phishing lures.
Last week I presented at #Rebellion2026 conference on DPRK IT workers, with a focus on endpoint forensics, OSINT investigations, abused identity marketplaces, and related tradecraft.
I also released a small tool #Ghosthire - a free triage tool for candidate screening and on some common tactics abused by DPRK IT Workers. You can drop a resume (docx/pdf) and it pulls and checks
1. Metadata
2. Identity mismatch detection
3. GitHub backdated commit history
4. VOIP phone number usage
5. And the best feature follower cluster mapping to find additional fake identities linked to the same Github account (Attached Figure, 1 account revealed 8 other accounts that needs review)
Tool Link - https://t.co/LU4oEqS07w
Here is the demo uploaded on YouTube
https://t.co/iI319gxFEL
🔒 Private DFIR Report: ClickFix Leads to Tsundere Bot, Tunnels, RMMs, and Double Theft
Hands-on-keyboard activity began less than 20 minutes after initial execution. The threat actor quickly performed host and domain discovery, captured screenshots, enumerated domain users and groups, and escalated operations through Cobalt Strike, Kerberoasting, and the use of compromised privileged credentials.
Request access to the private DFIR report or schedule a demo to see how our Threat Intelligence offering delivers timely, actionable intel for defenders: https://t.co/T4Yoza4Ipx
Final comment on the ServiceNow incident. I've had the opportunity to review the code that was live during the incident. There are appropriate guardrails in place to prevent arbitrary table write (e.g user creation, script execution).
Cuando el futbol femenino no necesitaba tapar una mala etapa del club... cuando Putellas ganaba títulos con el Espanyol (y no tenían repercusión mediática).
Otra (otra más) historia de la "Masia"
Putellas, Torrejón, Cucurella, Dani Olmo, Joan García.
Es muy difícil sobrevivir
An #adware campaign involving 50+ Chrome extensions (disguised as live wallpapers) has hit ~30K users. Spread across three publisher accounts, the attackers are pushing remote HTML to 40+ extensions and wiping IndexedDB on install and startup. Details at https://t.co/yihnkqJ3tj
One host touching 50+ internal IPs across 5+ ports in under 5 minutes is not “normal admin activity.”
That is how ransomware operators map your network before encryption. 👀
The best part?
This detection still works when the tool is renamed, packed, or stripped of metadata. Fully tool-agnostic.
I shared both the KQL and ESQL versions in the article. More discovery-phase detections soon.
On May 26, 2026, at 14:00 UTC, the CrowdStrike Counter Adversary Operations team executed a coordinated takedown of the Glassworm botnet, a global threat targeting software developers through the open-source supply chain. In collaboration with Google and the Shadowserver Foundation, we struck all four of Glassworm's command-and-control (C2) channels simultaneously, severing the operators from their infected machines and their ability to deliver new malicious payloads.
This takedown matters beyond the botnet. Glassworm marked a significant shift in the threat landscape that should serve as a wake-up call for every organization that ships or consumes software. Adversaries are no longer just targeting products, they're targeting the developers who build them.
https://t.co/rl9EVrA371