Threat Research

Labs recently identified a wave of LNK file attacks targeting users in South Korea. These campaigns use multi-stage scripts and rely on GitHub as C2 infrastructure to avoid detection. While similar LNK files date back to 2024, earlier versions were less obfuscated and easier to trace, linking them to XenoRAT distribution....

In March 2026, Anthropic accidentally exposed the full source code of its Claude Code AI agent through a misconfigured npm package that included a large JavaScript source map file. The leak revealed hundreds of thousands of lines of unobfuscated code, exposing internal architecture, agent orchestration logic, and security-related components....

Axios, a popular JavaScript HTTP client with massive weekly downloads, was compromised after an attacker took over the lead maintainer’s npm account. They released two malicious versions (1.14.1 and 0.30.4) embedding a cross-platform remote access trojan (RAT)....

A software supply chain attack targeted the widely used axios NPM package by injecting a malicious dependency, plain-crypto-js, into specific versions, impacting millions of users. The malicious code acted as an obfuscated dropper that deployed the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux systems....

Between late February and March 2026, TeamPCP launched a calculated series of escalating supply chain attacks. They compromised trusted open-source security tools like Trivy, KICS, and the AI gateway LiteLLM. The campaign also targeted the official Python SDK of Telnyx. Malicious infostealer payloads were injected into GitHub Actions and PyPI registries....

Researchers uncovered and analyzed the full source code of an AI-driven AiTM phishing platform called “UPMI ULTIMATE,” linked to a group named “Team Unlimited.” The code was retrieved from an exposed central server that manages licensing, intelligence sharing, and remote control for all client instances....

EvilTokens is a newly identified phishing-as-a-service (PhaaS) kit that enables large-scale Microsoft device code phishing attacks, leveraging social engineering techniques and rapidly adopted by cybercriminals for Adversary-in-the-Middle (AitM) and Business Email Compromise (BEC) operations....

A cyberespionage campaign discovered in early 2026 involved three distinct threat clusters Paper Werewolf, Versatile Werewolf, and Eagle Werewolf targeting victims using malware disguised as Starlink registration services and drone training applications....

A growing share of cyber incidents now stems from supply chain attacks. Attackers use tactics like malicious open-source libraries or hijacked developer accounts. These compromised libraries spread widely, affecting countless applications and services. In March 2026, a trojanized LiteLLM Python library was uploaded to PyPI, infecting systems....

Researchers uncovered multiple cyber-espionage campaigns targeting a Southeast Asian government organization. The investigation traced Stately Taurus activity (June–Aug 2025), involving USB-spread USBFect (HIUPAN) malware deploying a PUBLOAD backdoor....