supply-chain-attack

Kaspersky found official DAEMON Tools Lite installers trojanized from April 8 to May 5, 2026, deploying a multi-stage backdoor to over a dozen targeted machines. CISA added CVE-2026-8398 to its KEV catalog on May 27.

Attackers published lightning 2.6.2 and 2.6.3 to PyPI on April 30, executing an obfuscated JavaScript payload to harvest cloud credentials from anyone who imported the package. Maintainers quarantined the malicious builds within 42 minutes.

A malicious build of @bitwarden/cli@2026.4.0 was live on npm for roughly 93 minutes on April 22 after attackers used credentials stolen from Checkmarx to push a self-propagating worm that harvests cloud, Git, and AI tooling credentials.

Hackers exploited Anodot's integration with Rockstar's Snowflake cloud to steal nearly 80 million records of financial and analytics data, then published them after the studio refused to pay.

Attackers compromised CPUID's backend API and replaced download links for four popular hardware tools with malware-laden installers, infecting over 150 users across multiple countries.

The European Commission confirms a breach of its AWS-hosted Europa.eu platform after ShinyHunters published over 90 GB of stolen data. CERT-EU traces the intrusion to a supply chain attack on the Trivy security scanner.

Attackers hijacked the primary Axios maintainer's npm account and published two malicious versions that installed a cross-platform remote access trojan, exposing one of the JavaScript ecosystem's most downloaded packages.

Threat actor TeamPCP used credentials stolen in the Trivy compromise to backdoor LiteLLM versions 1.82.7 and 1.82.8 on PyPI, deploying a multi-stage credential stealer across an estimated 500,000 environments.

Sony's anime streaming service confirmed a breach of customer service ticket data after a threat actor compromised a Telus International support agent's credentials, claiming to have stolen 100 GB of user data.

U.S. investigators believe China-affiliated hackers penetrated the FBI's Digital Collection System Network, which manages FISA warrants and wiretap surveillance, by exploiting a commercial ISP vendor relationship.

Threat actor TeamPCP compromised the widely used Trivy vulnerability scanner through a retained access token from an earlier incomplete remediation, injecting credential-stealing payloads into official releases and GitHub Actions while defacing 44 Aqua Security repositories.

Attackers hijacked 75 of 76 version tags in the widely used trivy-action GitHub Action to steal CI/CD credentials, then deployed a self-propagating npm worm that uses the Internet Computer Protocol as an untakeable-down command-and-control channel.