#supply-chain
56 articles
Over 85 articles published between April 12 and May 17, 2026, examine supply-chain security, with 15 critical and 49 high-severity incidents reported. Threat actors Lazarus Group, TeamPCP, and CanisterSprawl were observed targeting technology, software development, cryptocurrency, logistics, and manufacturing sectors globally, with particular impact across North America, Europe, Asia, and the United States. Key vulnerabilities include CVE-2026-1731, CVE-2026-45033, CVE-2026-39987, CVE-2026-41650, and CVE-2026-44664, reflecting a mix of critical and medium-severity flaws.
HIGHGrafana GitHub Token Breach Lets Attacker Download Full Codebase
An attacker used a compromised GitHub token to download Grafana's entire private codebase. The company says no customer data was accessed and the incident involved an extortion...
MEDIUMMCP Registry OIDC Flaw CVE-2026-44428 Lets Attackers Hijack GitHub
CVE-2026-44428 (CVSS 4.7) in the MCP Registry before 1.7.6 lets attackers reuse stolen GitHub OIDC tokens across registry instances, enabling unauthorized server publishing and...
MEDIUMfast-xml-builder Flaw CVE-2026-44664 Enables XML Injection via
CVE-2026-44664 (CVSS 6.1) in fast-xml-builder lets attackers break out of XML comments and inject arbitrary content via triple-dash sequences; fixed in version 1.1.6.
CRITICALGitHub Copilot CLI Flaw CVE-2026-45033 Enables RCE via Malicious Repos
CVE-2026-45033 (CVSS 9.8) in GitHub Copilot CLI before 1.0.43 lets attackers achieve remote code execution by embedding a malicious bare git repository in a project directory.
HIGHFoxconn Confirms Ransomware Attack on North American Factories
Nitrogen ransomware gang claims 8TB of stolen data from Foxconn's North American factories, including technical files from major tech clients.
CRITICALTeamPCP Hijacks TanStack CI/CD, Poisons 170+ NPM/PyPI Packages
TeamPCP chained three GitHub Actions flaws to hijack TanStack's CI/CD, publishing 84 malicious artifacts across 42 packages.
MEDIUMFCC Delays Ban on Security Updates for Foreign-Made Routers to 2029
The FCC extended the deadline for banning software updates on foreign-made routers from March 2027 to January 2029, citing public interest concerns and industry pushback.
HIGHSailPoint Discloses GitHub Repo Breach via Third-Party App
SailPoint reported to the SEC that attackers accessed a subset of its GitHub repositories on April 20 via a third-party app vulnerability.
HIGHFake OpenAI Repo on Hugging Face Pushes Rust Infostealer
A typosquatted OpenAI repository reached #1 on Hugging Face with 244,000 downloads, delivering a Rust-based infostealer that targets browser credentials, crypto wallets, and VPN...
MEDIUMCyber Tax Raises Consumer Prices After Breaches, Podcast Warns
Malwarebytes Lock and Code podcast: Eva Velasquez details how small business cyberattacks create a 'cyber tax' that raises prices for all consumers — no sector immune.
HIGHFBI Warns Cybercriminals Driving $725M Cargo Theft Surge
FBI warns cargo theft losses hit $725M in US and Canada in 2025, driven by cybercriminals exploiting logistics IT systems to intercept shipments and redirect loads.
CRITICALPyTorch Lightning Compromised in PyPI Supply Chain Attack
Threat actors pushed malicious PyTorch Lightning versions 2.6.2 and 2.6.3 to PyPI on April 30, 2026, stealing credentials via a typosquatted dependency — Aikido Security, Socket,…
HIGHRussian GRU Targets Western Logistics, Tech Firms in Ukraine Aid
CISA warns Russian GRU hackers target Western logistics and tech firms supporting Ukraine aid since 2022.
MEDIUMVimeo Breach Tied to Anodot Vendor Hack, No Video Data Exposed
Vimeo attributed a security incident to a breach at analytics vendor Anodot; hackers accessed internal systems but not video content, logins, or payment data.
HIGHVercel Breach via Context.ai OAuth Token Theft
Vercel disclosed a breach after stolen OAuth tokens from Context.ai enabled unauthorized access to internal systems via a connected app. No customer data exposed.
CRITICALAxios npm Supply Chain Attack Delivers Cross-Platform RAT
Elastic Security Labs details a supply chain compromise of the axios npm package that deployed a unified RAT across platforms, impacting an unknown number of downstream…
MEDIUMESET: March 2026 Cyber Threats Show Resilience Gaps
ESET's Tony Anscombe warns that March 2026 attacks — including ransomware, supply chain compromises, and AI-driven phishing — reveal systemic gaps in organizational…
HIGHItron Breach: Utility Firm Discloses Internal IT Network Intrusion
Itron disclosed a cybersecurity incident in an SEC 8-K filing: an unauthorized third party accessed internal IT systems.
MEDIUMState Hackers Target Mining Sector Over Critical Minerals Supply
Recorded Future warns state-sponsored cyber operations increasingly target mining firms for critical minerals and rare earth elements, as China's refining dominance reshapes…
HIGH26 Fake Crypto Wallet Apps on Apple App Store Steal Seed Phrases
Kaspersky found 26 malicious apps on the Apple App Store since fall 2025 that impersonate wallets like MetaMask and Coinbase to steal recovery phrases and private keys via…
HIGHTropic Trooper Uses Trojanized SumatraPDF to Deploy AdaptixC2
Zscaler ThreatLabz links Tropic Trooper to a campaign using trojanized SumatraPDF to drop AdaptixC2 Beacon and abuse VS Code tunnels for remote access, targeting Chinese-speaking…
HIGHCanisterSprawl Worm Hijacks npm Packages, Steals Developer Tokens
The CanisterSprawl supply chain worm hijacks npm packages, uses stolen developer tokens to self-propagate, and exfiltrates data to an ICP canister, according to Socket and…
CRITICALCheckmarx KICS Supply-Chain Breach Hits Docker, VS Code
Attackers compromised Checkmarx KICS Docker images and VS Code extensions to steal cloud credentials, API keys, and source code from developer environments.
HIGHNorth Korean Hackers Steal $12 Million in Crypto via Trojanized
North Korean hackers siphoned over $12 million from crypto users in Q1 2026 using trojanized trading apps like CoinStats and TradingView AI Agent to steal recovery phrases and…
HIGHAgentic AI Systems Introduce Novel Enterprise Security Risks
Recorded Future warns that autonomous 'agentic' AI systems, now being integrated into enterprise software, create new attack surfaces for prompt injection, data poisoning, and…
HIGHNorth Korean Fake Job Scams Spread Malware via 'Contagious Interview'
North Korean operatives use a 'contagious interview' tactic, where a compromised developer's GitHub repo spreads RATs to other job seekers.
CRITICALBomgar RMM Exploit Fuels Ransomware and Supply Chain Attacks
CVE-2026-1731, a critical 9.8 CVSS flaw in BeyondTrust's Bomgar RMM, is being actively exploited to deploy ransomware and compromise IT service providers in global supply chain attacks.
HIGHMalicious Crypto Apps Hijack Recovery Phrases from Apple App Store
Apple removed 45 malicious cryptocurrency apps from its App Store after they stole recovery phrases and private keys from users, mimicking legitimate wallets like MetaMask and Coinbase.
CRITICALCISA Warns Axios npm Package Compromised in Supply Chain Attack
CISA alerts that the Axios npm package, with over 60 million weekly downloads, was compromised in a supply chain attack, injecting malicious code into downstream applications.
HIGHGitHub Issue Notifications Hijacked for Developer Phishing via OAuth Apps
Threat actors are using GitHub's trusted notification system to phish developers, pushing malicious OAuth apps that steal account data and hijack repositories. The campaign exploits the platform's own infrastructure to bypass traditional email security.
HIGHVercel Breach Exposes Customer Credentials via Compromised AI Tool
Vercel confirms a breach exposing limited customer credentials after attackers compromised an employee's account via a third-party AI tool, Context.ai. The cloud platform is resetting passwords and API tokens for affected users.
HIGH108 Malicious Chrome Extensions Hijack Browsers, Steal Google and Telegram Data
Socket identified 108 malicious Chrome extensions that infected 20,000 users, stealing Google and Telegram session cookies and injecting ads via a shared command-and-control server.
HIGHTeamPCP Supply Chain Attack Fuels Payroll Fraud and Ransomware
TeamPCP threat actors compromised trusted software tools to steal credentials from over 100 organizations, enabling $1.5M in payroll fraud, logistics theft, and ransomware extortion.
HIGHVercel Confirms Data Breach After Hackers Attempt to Sell Stolen Information
Vercel disclosed a security breach after threat actors attempted to sell stolen data, including customer account information and internal project details, on a hacking forum. The cloud platform is investigating the scope of the incident.
MEDIUMBusiness Impersonation Fraud Evolves with AI-Powered Shopping Scams
Recorded Future details how threat actors exploit corporate identity verification gaps, pivoting from cashing stolen checks to orchestrating AI-powered shopping scams that impersonate legitimate businesses to steal goods.
HIGHCybercriminals Hijack Logistics Systems to Steal High-Value Physical Cargo
Threat actors are compromising trucking and freight brokerage firms to manipulate shipments and steal physical cargo, moving beyond data theft to target high-value goods in transit.
HIGHRansomware Attack Disrupts Automotive Data Giant Autovista Group
Autovista Group, a major European automotive data and analytics firm, confirms a ransomware attack disrupting operations. The company is investigating with external experts, but impact on customer data remains unclear.
HIGHAdware Campaign Hijacks DNS to Expose Thousands of OT and Government Endpoints
A malicious adware campaign, active since at least 2023, hijacked DNS settings on over 25,000 systems to redirect traffic through attacker-controlled servers, exposing endpoints in critical OT and government networks to further compromise.
MEDIUMAsia's Digital Supply Chain Poses Distinct Security Challenges
Asia's interconnected digital ecosystems, divergent regulatory regimes, and rapid AI adoption are creating unique and complex security risks for regional and global supply chains, according to a new analysis.
HIGHEssentialPlugin WordPress Suite Compromised to Deploy Backdoor on Thousands of
The EssentialPlugin suite, comprising over 30 popular WordPress plugins, has been compromised to inject a backdoor granting attackers administrative access to thousands of websites. The supply chain attack is actively being exploited.
INFORMATIONALLegitify Open-Source Tool Scans GitHub, GitLab for Security Misconfigurations
Legit Security releases Legitify, an open-source scanner that identifies security misconfigurations in GitHub and GitLab organizations, repositories, and CI/CD runners to combat software supply chain risks.
HIGHSigned Adware Tool Disables Antivirus with SYSTEM Privileges
A digitally signed adware tool, 'PC App Store', has been abused to deploy scripts that disable antivirus software with SYSTEM privileges, impacting thousands of endpoints in sectors like education and government.
HIGHThreat Actors Weaponize n8n Workflow Platform for Phishing and Payload Delivery
Attackers have been abusing the legitimate n8n workflow automation platform since October 2025 to send phishing emails and deliver malware, leveraging its trusted infrastructure to bypass email security filters.
HIGHWordPress Plugin Supply Chain Attack Deploys Backdoor After 8-Month Dormancy
A threat actor purchased a legitimate WordPress plugin business and hid a backdoor in updates for eight months before activating it, compromising thousands of sites in a sophisticated supply chain attack.
HIGHFake Ledger Live App on Apple App Store Steals $9.5M in Cryptocurrency
A malicious Ledger Live app distributed via Apple's official App Store for macOS stole approximately $9.5 million from 50 victims by harvesting recovery phrases.
HIGHMalicious Chrome Extensions Hijack OAuth Tokens, Deploy Backdoors
Over 100 malicious extensions in the official Chrome Web Store are stealing Google OAuth2 tokens, deploying backdoors, and committing ad fraud, impacting millions of users.
HIGHCritical PHP Composer Flaws Allow Remote Command Execution via Perforce Driver
Two high-severity command injection vulnerabilities (CVE-2026-40176, CVE-2026-40177) in PHP Composer's Perforce driver enable arbitrary command execution on developer systems during package operations.
HIGHCPUID Software Downloads Compromised, Delivered STX RAT Malware
Threat actors compromised CPUID's download infrastructure for six hours, redirecting users to malicious sites serving the STX RAT. Official signed files were not affected.
HIGHCPUID Website Compromised to Distribute Trojanized System Utilities
A Russian-speaking threat actor hacked the CPUID website, replacing legitimate download links for CPU-Z and HWMonitor with trojanized installers delivering the STX RAT malware.
HIGHFake Claude AI Website Delivers PlugX RAT via DLL Sideloading
A fraudulent website impersonating Anthropic's Claude AI distributes a self-deleting installer that deploys the PlugX remote access trojan via DLL sideloading.
CRITICALCritical Marimo RCE Flaw Exploited Within Hours of Disclosure
A critical pre-authentication remote code execution vulnerability (CVE-2026-39987) in the Marimo Python notebook was exploited in the wild within 10 hours of public disclosure, posing a severe risk to data science environments.
HIGHBackdoored Smart Slider 3 Pro Update Deployed via Compromised Plugin Servers
Unknown threat actors compromised the update infrastructure for the Smart Slider 3 Pro WordPress plugin, pushing a backdoored version (3.5.1.35) to users. The attack leverages a supply chain compromise to gain administrative access.
HIGHGlassWorm Uses New Zig Dropper to Target Developer IDEs via Fake VS Code Extension
Researchers discovered GlassWorm’s latest Zig dropper hidden in a malicious VS Code extension, allowing silent infection of multiple IDEs on developer workstations.
HIGHNorth Korean Lazarus Group Compromises OpenAI via Axios Supply Chain Attack
North Korea's Lazarus Group compromised OpenAI's internal systems via a supply chain attack on the Axios client library, using a stolen macOS code-signing certificate to sign malware.
MEDIUMOrange Business Integrates AI into Enterprise Voice, Raises Security Questions
Orange Business is embedding generative AI into its enterprise voice platforms, a move that expands the attack surface and introduces novel data security and privacy risks.
MEDIUMOberon System 3 Native Port for Raspberry Pi Raises Supply Chain Security Concerns
A native port of the Oberon System 3 for Raspberry Pi 3, distributed via a pre-configured SD card image, presents a potential supply chain attack vector. The image's provenance and integrity cannot be fully verified, highlighting risks in third-party firmware distribution.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.