Threat Research

Labs recently identified a wave of LNK file attacks targeting users in South Korea. These campaigns use multi-stage scripts and rely on GitHub as C2 infrastructure to avoid detection. While similar LNK files date back to 2024, earlier versions were less obfuscated and easier to trace, linking them to XenoRAT distribution....

Axios, a popular JavaScript HTTP client with massive weekly downloads, was compromised after an attacker took over the lead maintainer’s npm account. They released two malicious versions (1.14.1 and 0.30.4) embedding a cross-platform remote access trojan (RAT)....

A software supply chain attack targeted the widely used axios NPM package by injecting a malicious dependency, plain-crypto-js, into specific versions, impacting millions of users. The malicious code acted as an obfuscated dropper that deployed the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux systems....

Between late February and March 2026, TeamPCP launched a calculated series of escalating supply chain attacks. They compromised trusted open-source security tools like Trivy, KICS, and the AI gateway LiteLLM. The campaign also targeted the official Python SDK of Telnyx. Malicious infostealer payloads were injected into GitHub Actions and PyPI registries....

Researchers uncovered and analyzed the full source code of an AI-driven AiTM phishing platform called “UPMI ULTIMATE,” linked to a group named “Team Unlimited.” The code was retrieved from an exposed central server that manages licensing, intelligence sharing, and remote control for all client instances....

A cyberespionage campaign discovered in early 2026 involved three distinct threat clusters Paper Werewolf, Versatile Werewolf, and Eagle Werewolf targeting victims using malware disguised as Starlink registration services and drone training applications....

A supply chain attack compromised the LiteLLM AI proxy package on PyPI, with malicious versions delivering a multi-stage payload that harvested credentials, enabled Kubernetes lateral movement, and established persistent backdoor access for remote code execution....

Researchers are tracking ongoing Contagious Interview campaign activity by NICKEL ALLEY, a North Korea–linked threat group. The group targets tech professionals using fake job postings and deceptive interview processes. Victims are tricked into downloading malware during these staged recruitment steps....

UNC2814 is a PRC-aligned cyber espionage group active since at least 2017. It targets telecom and government sectors to steal communications intelligence and PII. The group has operated in 42 confirmed countries and over 70 suspected across multiple regions Africa, Asia, and the Americas....

DarkSword is a sophisticated iOS full-chain exploit leveraging multiple zero-day vulnerabilities to fully compromise devices running iOS 18.4 to 18.7. Since late 2025, it has been used by commercial surveillance vendors and state-sponsored actors across campaigns targeting regions including Saudi Arabia, Turkey, Malaysia, and Ukraine....