supply-chain-attack

Attackers hijacked the primary Axios maintainer's npm account and published two malicious versions that installed a cross-platform remote access trojan, exposing one of the JavaScript ecosystem's most downloaded packages.

Threat actor TeamPCP used credentials stolen in the Trivy compromise to backdoor LiteLLM versions 1.82.7 and 1.82.8 on PyPI, deploying a multi-stage credential stealer across an estimated 500,000 environments.

Sony's anime streaming service confirmed a breach of customer service ticket data after a threat actor compromised a Telus International support agent's credentials, claiming to have stolen 100 GB of user data.

U.S. investigators believe China-affiliated hackers penetrated the FBI's Digital Collection System Network, which manages FISA warrants and wiretap surveillance, by exploiting a commercial ISP vendor relationship.

Threat actor TeamPCP compromised the widely used Trivy vulnerability scanner through a retained access token from an earlier incomplete remediation, injecting credential-stealing payloads into official releases and GitHub Actions while defacing 44 Aqua Security repositories.

Attackers hijacked 75 of 76 version tags in the widely used trivy-action GitHub Action to steal CI/CD credentials, then deployed a self-propagating npm worm that uses the Internet Computer Protocol as an untakeable-down command-and-control channel.

Telus Digital confirmed a breach after ShinyHunters claimed to have stolen up to one petabyte of data using cloud credentials obtained in a prior third-party compromise.

A coordinated supply-chain campaign abused Open VSX extension dependencies and invisible Unicode payloads to compromise developer environments across VS Code and GitHub.

Lotus Blossom APT group compromised Notepad++ update infrastructure from June to December 2025, delivering Cobalt Strike and custom backdoors to select government and telecom targets