Threat Research

Endpoint Detection and Response (EDR) tools are more advanced than traditional antivirus and are widely used today. Attackers deploy EDR killers to bypass or disable these defenses, limiting visibility into system activity. As detection improves, attackers increasingly target security layers early in the attack lifecycle....

Following the accidental leak of Anthropic’s Claude Code, threat actors quickly exploited the incident by creating fake “leaked” repositories to distribute malware such as Vidar stealer and GhostSocks....

Oblivion Android RAT uses social engineering and fake update screens to trick users into installing a malicious app. It heavily abuses Android’s Accessibility Service to gain full control of the device and silently grant permissions. Once active, the malware can intercept SMS messages and OTP/2FA codes, log keystrokes, and monitor notifications....

Labs recently identified a wave of LNK file attacks targeting users in South Korea. These campaigns use multi-stage scripts and rely on GitHub as C2 infrastructure to avoid detection. While similar LNK files date back to 2024, earlier versions were less obfuscated and easier to trace, linking them to XenoRAT distribution....

In March 2026, Anthropic accidentally exposed the full source code of its Claude Code AI agent through a misconfigured npm package that included a large JavaScript source map file. The leak revealed hundreds of thousands of lines of unobfuscated code, exposing internal architecture, agent orchestration logic, and security-related components....

Axios, a popular JavaScript HTTP client with massive weekly downloads, was compromised after an attacker took over the lead maintainer’s npm account. They released two malicious versions (1.14.1 and 0.30.4) embedding a cross-platform remote access trojan (RAT)....

A software supply chain attack targeted the widely used axios NPM package by injecting a malicious dependency, plain-crypto-js, into specific versions, impacting millions of users. The malicious code acted as an obfuscated dropper that deployed the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux systems....

Between late February and March 2026, TeamPCP launched a calculated series of escalating supply chain attacks. They compromised trusted open-source security tools like Trivy, KICS, and the AI gateway LiteLLM. The campaign also targeted the official Python SDK of Telnyx. Malicious infostealer payloads were injected into GitHub Actions and PyPI registries....

Researchers uncovered and analyzed the full source code of an AI-driven AiTM phishing platform called “UPMI ULTIMATE,” linked to a group named “Team Unlimited.” The code was retrieved from an exposed central server that manages licensing, intelligence sharing, and remote control for all client instances....

EvilTokens is a newly identified phishing-as-a-service (PhaaS) kit that enables large-scale Microsoft device code phishing attacks, leveraging social engineering techniques and rapidly adopted by cybercriminals for Adversary-in-the-Middle (AitM) and Business Email Compromise (BEC) operations....

A cyberespionage campaign discovered in early 2026 involved three distinct threat clusters Paper Werewolf, Versatile Werewolf, and Eagle Werewolf targeting victims using malware disguised as Starlink registration services and drone training applications....

A growing share of cyber incidents now stems from supply chain attacks. Attackers use tactics like malicious open-source libraries or hijacked developer accounts. These compromised libraries spread widely, affecting countless applications and services. In March 2026, a trojanized LiteLLM Python library was uploaded to PyPI, infecting systems....

Researchers uncovered multiple cyber-espionage campaigns targeting a Southeast Asian government organization. The investigation traced Stately Taurus activity (June–Aug 2025), involving USB-spread USBFect (HIUPAN) malware deploying a PUBLOAD backdoor....

A supply chain attack compromised the LiteLLM AI proxy package on PyPI, with malicious versions delivering a multi-stage payload that harvested credentials, enabled Kubernetes lateral movement, and established persistent backdoor access for remote code execution....

A stealthy malware campaign is abusing digitally signed remote monitoring and management (RMM) tools to gain persistent access and evade detection. The attack leverages legitimate file-hosting updater mechanisms to execute cloud-syncing processes, enabling disguised traffic and potential data exfiltration....