Large-Scale Supply Chain Attack Compromises 170+ npm Packages and PyPI Libraries Hackers have executed a sophisticated supply chain attack by infiltrating over 170 npm packages and two PyPI libraries, collectively downloaded more than 200 million times per week. The campaign, attributed to the resurfaced "Shai-Hulud" malware, steals developer and cloud credentials while exhibiting worm-like propagation across development ecosystems. ### Attack Mechanics The malicious npm packages contain a hidden preinstall script that executes during installation, deploying a loader to fetch an obfuscated JavaScript payload. Unlike typical credential stealers, this malware modifies legitimate package code, injects malicious components, and republishes infected versions, turning compromised environments into new attack vectors. The PyPI variant embeds a downloader in the import process, fetching a remote Python payload that targets cloud platforms, local systems, and developer tools. Both variants employ multi-layered obfuscation, including PBKDF2-SHA256 encryption and AES-256 runtime decryption, to evade detection. ### Initial Compromise & Propagation The attack originated from a misconfigured GitHub Actions workflow, where attackers exploited untrusted forked code to execute within a privileged environment. Once inside CI/CD pipelines, the malware extracts GitHub Actions tokens, OIDC identity data, and npm publishing credentials, enabling large-scale package hijacking. ### Credential Theft & Exfiltration The payload targets a broad range of sensitive data, including: - GitHub tokens, Actions secrets, and npm credentials - AWS, GCP, and Azure credentials (via environment variables, files, and metadata services) - Kubernetes service account tokens and HashiCorp Vault secrets - SSH keys, .npmrc files, shell history, and API keys - Password manager data (1Password, Bitwarden) Stolen data is exfiltrated through encrypted uploads to attacker-controlled servers, GitHub repositories, and decentralized networks (e.g., Session/Oxen). A notable indicator is commits authored by "[email protected]." ### Destructive Capabilities The malware includes a "dead-man switch" a persistent service that monitors stolen GitHub tokens. If a token is revoked, the malware may trigger destructive actions, such as wiping the infected system. The PyPI variant can also deploy a second-stage payload capable of deleting entire Linux systems under certain conditions. ### Detection & Response Security researchers at JFrog detected and blocked all malicious packages within 24 hours, but the incident highlights vulnerabilities in CI/CD trust mechanisms. The attack demonstrates how compromised build processes can turn verified pipelines into malware distribution channels, underscoring the need for stricter runtime monitoring and credential hygiene.

New "Hologram" Infostealer Campaign Targets Crypto Wallets and Password Managers via Fake OpenClaw Installer A sophisticated infostealer campaign, dubbed "Hologram," has been active since at least February 2026, targeting sensitive data stored in 250+ browser extensions tied to crypto wallets and password managers. The malware spreads via a fake installer for OpenClaw, a legitimate open-source AI assistant, hosted on a convincing typosquat domain (openclaw-installer[.]com), registered on March 9, 2026. ### How the Attack Works 1. Initial Infection - Victims download OpenClaw_x64[.]7z, a 130MB Rust-based executable padded with fake documentation to evade antivirus scans and bypass sandbox upload limits. - The dropper, named "Hologram" in its manifest, performs anti-analysis checks, including: - Scanning for virtual machine BIOS strings and suspicious software libraries. - Waiting for real mouse movement (automated sandboxes don’t trigger this). - If checks pass, it disables Windows Defender, opens firewall ports, and downloads six modular components from an attacker-controlled Azure DevOps repository. 2. Credential Theft & Persistence - The malware fetches a dynamic targeting list (hosted on Azure DevOps) covering: - 201 crypto wallets (MetaMask, Phantom, Coinbase, Ledger Live, etc.). - 49 password managers/authenticators (Bitwarden, LastPass, 1Password, Google Authenticator, etc.). - The list is remotely updatable, allowing attackers to expand targets without recompiling the malware. - Persistence mechanisms include: - Registry autoruns. - Windows logon hijacking. - Scheduled tasks. - Telegram-based droppers that survive even if the main implant is removed. 3. Evasive Infrastructure - Command-and-control (C2) servers are never hardcoded instead, the malware retrieves them from Telegram channel descriptions, allowing rapid rotation if domains are blocked. - Victim data (usernames, IPs, timestamps) is routed through Hookdeck, a legitimate webhook relay service, obscuring the attacker’s backend. - Researchers observed infrastructure rotation during analysis, with domains and IPs changing before findings were published. ### Key Indicators of Compromise (IoCs) - File Hashes: Multiple Rust-based droppers (e.g., `OpenClaw_x64[.]exe`, `svc_service[.]exe`) and secondary payloads (e.g., `onedrive_sync[.]exe`, `WinHealhCare[.]exe`). - Domains: - `openclaw-installer[.]com` (delivery). - `hkdk.events` (C2 relay via Hookdeck). - `dev.azure.com/sagonbretzpr` (payload staging). - Hijacked Brazilian law firm domain (`frr.rubensbruno.adv.br`) and others. - IPs: `193.202.84.14`, `45.55.35.48`, `188.114.97.3` (C2 beacons). - Registry Keys & Paths: - `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit` (logon hijack). - `C:\Users\Public\` (stage-2 binary drop location). - `%APPDATA%\Ledger Live` (targeted for wallet theft). ### Why This Campaign Stands Out - Advanced Evasion: Uses Rust-based malware, in-memory .NET assembly loading (via `clroxide`), and Telegram for C2 rotation. - Dynamic Targeting: The remote Git repository allows attackers to silently expand their target list without detection. - Persistence: Multiple layers of registry, scheduled tasks, and Telegram-based backdoors ensure long-term access. Researchers at Netskope Threat Labs identified this as a second, more advanced iteration of the campaign, following an earlier variant. The attack highlights the growing sophistication of infostealers, particularly in crypto and credential theft.

Perplexity’s AI-powered browser Comet was exposed to HashJack, a critical indirect prompt injection vulnerability exploiting URL fragments (after the ‘#’ symbol) to execute hidden malicious instructions. The flaw allowed threat actors to bypass traditional security systems—such as server logs, network monitoring, and content security policies—by embedding deceptive prompts (e.g., callback phishing, data exfiltration, misinformation, malware guidance, medical harm, and credential theft) that appeared as legitimate AI-generated responses. Users were tricked into divulging sensitive financial/personal data, installing backdoors, or following harmful medical advice, all while the attack remained undetected due to client-side processing of URL fragments.Perplexity initially dismissed the report but later classified it as critical severity (P1), deploying fixes by November 18, 2025. The incident highlights systemic risks in AI browsers, where LLM susceptibility to prompt injection and flawed URL-handling design enable large-scale deception, financial fraud, and operational disruptions. The attack’s stealth and automation potential—particularly in agentic browsers—posed severe reputational, financial, and trust-based damages, with long-term implications for user safety and regulatory compliance.

A sophisticated phishing campaign targeted employees of 1Password by exploiting the company’s own breach notification system. Attackers sent deceptive emails mimicking 1Password’s Watchtower alerts, falsely claiming the recipient’s master password had been exposed in a data breach. The goal was to trick employees into surrendering their vault credentials, which would grant cybercriminals full access to all stored logins, passwords, and sensitive data within the password manager. The attack nearly succeeded, with at least one employee almost falling victim before recognizing the fraud. Had credentials been compromised, the consequences could have been severe, potentially exposing corporate and customer secrets, financial records, and proprietary information stored in the password manager. The incident highlights the risks of social engineering targeting security-conscious organizations, where even well-trained employees can be manipulated through convincing impersonation tactics. While no actual breach occurred, the attempt underscores vulnerabilities in human trust mechanisms, particularly when attackers weaponize legitimate security features like breach notifications. The potential fallout—if successful—could have included internal data leaks, reputational damage, and erosion of customer trust in 1Password’s security guarantees.

1Password, a widely used password management platform adopted by more than 100,000 businesses, experienced a security breach when unauthorized individuals gained entry into its Okta ID management system. Following a comprehensive examination, the company determined that there was no unauthorized access to user data stored within 1Password. Promptly addressing the issue, they terminated the unauthorized activity, conducted a thorough investigation, and confirmed the absence of any compromise in their data or other critical systems, whether employee-oriented or user-centric. According to 1Password, threat actors infiltrated their Okta tenant by utilizing a pilfered session cookie belonging to an IT employee.

Cloudflare was disclosing a lot of private data, including login passwords and authentication cookies. Uber, Fitbit, 1Password, and OKCupid are just a few of the big names affected by the Cloudbleed security flaw in Cloudflare servers. Because mobile apps are created with the same backends as browsers for HTTPS (SSL/TLS) termination and content delivery, they are likewise impacted by Cloudbleed. The fact that Cloudflare directed Ormandy to the company's bug bounty programme and offered the expert a t-shirt as payment in lieu of cash is highly unusual.