Live

Intelligence Feed

Latest threat intelligence articles from trusted security sources, auto-processed to extract entities, IoCs, and TTPs.

Filtered by source: socket-dev Clear filter
PolinRider: North Korea-Linked Supply Chain Campaign Expands Across Open Source Ecosystems

32m ago · socket-dev

PolinRider is a North Korea-linked supply chain campaign targeting developer ecosystems, including npm, Packagist, Go modules, and Chrome extensions. The threat actors compromise maintainer accounts, modify legitimate repositories with obfuscated JavaScript loaders, and use Git history rewriting to conceal malicious changes. These loaders retrieve encrypted second-stage payloads from blockchain infrastructure, execute them via eval(), and have delivered malware such as DEV#POPPER and OmniStealer. The campaign remains active, with ongoing compromises across multiple open source platforms.

7 IoCs 2 Actors
GitHub Actions Checkout Now Blocks Risky pull_request_target Checkouts

2h ago · socket-dev

GitHub has released actions/checkout v7 to mitigate a long-standing supply chain risk in GitHub Actions where privileged workflows using pull_request_target could execute attacker-controlled code from untrusted pull requests. These workflows run with elevated permissions, including access to secrets and tokens, and previously allowed malicious actors to steal credentials or publish malicious packages. The update blocks unsafe checkouts by default, particularly those pulling code from forked pull requests in high-privilege contexts. This change addresses a known attack pattern exploited in recent incidents involving Nx, PostHog, and TanStack.

The Code You Didn't Write Is Still Yours to Defend

2h ago · socket-dev

The article discusses the growing risk of software supply chain attacks in the era of AI-powered development, where AI agents autonomously pull and execute unvetted open source packages outside traditional security monitoring. These agents operate in blind spots, such as ephemeral sandboxes, where no scanning or registry controls exist. The speed of modern attacks—often exploiting vulnerabilities within hours of disclosure—exceeds traditional response timelines, rendering forensic-focused defenses ineffective. Proactive governance at the point of package ingestion, supported by real-time threat intelligence, is presented as a necessary defense.

Frontier AI Is Now Critical Infrastructure

2h ago · socket-dev

The U.S. government abruptly suspended global access to Anthropic's AI models, Claude Fable 5 and Mythos 5, citing national security risks following jailbreaks and unauthorized vulnerability discoveries in federal systems. The models, used for automated code analysis, were deemed a supply chain risk, prompting a federal blackout and export controls under ECRA. The shutdown highlights the growing classification of advanced AI as critical infrastructure, with significant implications for enterprise dependency and national cybersecurity policy.

Miasma Mini Shai-Hulud Hits LeoPlatform npm Packages and GitHub Actions, Expands to the Go Ecosystem

2h ago · socket-dev

A new wave of the Miasma Mini Shai-Hulud supply chain attack has compromised npm packages under LeoPlatform and RStreams, as well as a Go module associated with Verana Blockchain. The campaign uses malicious binding.gyp files in npm packages to trigger JavaScript execution during installation, stages payloads via Bun, and targets developer environments, CI/CD pipelines, and GitHub Actions for credential theft. It also spreads through poisoned repositories and source configurations, with persistence mechanisms targeting AI coding assistants and IDEs. The activity overlaps with prior incidents involving the same malware family and operational markers like 'RevokeAndItGoesKaboom'.

37 IoCs 1 Malware
Rolldown Pulls Rust React Compiler Integration After Binary Size Increase

2h ago · socket-dev

The Rolldown and Vite projects withdrew a Rust-based React Compiler integration due to a 17% increase in binary size, raising concerns about framework-specific bloat in otherwise agnostic tools. The integration, funneled through the Oxc project, aimed to improve build performance but faced criticism for imposing costs on all users regardless of React usage. The debate highlights a broader tension in frontend tooling between performance gains from native Rust integrations and the overhead of larger binaries, with potential implications for other frameworks like Vue, Svelte, and Angular.

Miasma Mini Shai-Hulud Hits ImmobiliareLabs npm Packages

2h ago · socket-dev

The Miasma Mini Shai-Hulud supply chain campaign has expanded to compromise legitimate @immobiliarelabs npm packages, specifically Backstage plugins for GitLab and LDAP authentication. Malicious versions were published on June 26, 2026, using a hidden root-level index.js to execute a multi-stage payload that steals developer and CI/CD secrets, including tokens, SSH keys, and cloud credentials. The attack leverages GitHub Actions deployment triggers and may have originated from a compromised third-party GitHub Action, codfish/semantic-release-action, enabling further propagation through poisoned workflows and exfiltration to attacker-controlled repositories.

71 IoCs
Chrome and Firefox Extensions Posing as Free VPNs Add Clipboard Stealers via Malicious Updates

2h ago · socket-dev

Malicious Chrome and Firefox browser extensions branded as 'VPN Go: Free VPN' have been distributing clipboard-stealing malware through staged updates. Initially appearing as legitimate free VPN tools, the extensions later added functionality to monitor and exfiltrate clipboard data, including passwords, API keys, and cryptocurrency addresses. The stolen data is sent to hardcoded IP addresses using HTTP GET requests with chunked encoding and session identifiers. Both extensions use obfuscated JavaScript and share infrastructure, indicating a coordinated campaign targeting user privacy under the guise of security.

11 IoCs
Risky Biz Podcast: AI Agents Are Raising the Stakes for Software Supply Chain Security

2h ago · socket-dev

The article discusses a surge in software supply chain attacks, where threat actors compromise popular open source packages and leverage trusted development workflows to distribute malicious code. The rise of AI coding agents exacerbates the risk by automatically pulling in dependencies without sufficient review, increasing the speed and scale of potential compromise. Attackers are targeting development tools such as package registries, IDE extensions, and source repositories, often evading traditional security measures.