Introducing wormbox!

Transparent sandbox + pre-install audit for the macOS Node.js toolchain (npm, pnpm, yarn, bun). Every install runs under sandbox-exec; the audit reads tarballs first and flags the shapes seen in chalk, debug, Shai-Hulud: window.ethereum proxies, atob+eval lifecycle scripts, decoded payloads fed to Function(). AWS_*/GH_TOKEN never reach postinstall.

https://codeberg.org/head1328/wormbox

#SupplyChainSecurity #SandboxExec #NodeJS #PackageSecurity

The “Graphalgo” campaign represents a modular software supply-chain intrusion targeting developers directly.

Per ReversingLabs findings:
• 192 malicious npm/PyPI packages
• Delayed payload activation (post-version change)
• GitHub repos clean — malicious logic introduced via dependency chain
• RAT variants in JS, Python, VBS
• MetaMask wallet targeting
• Token-protected C2 channels
• GMT+9 commit indicators

Attribution aligns with historical tradecraft associated with Lazarus Group:
Crypto-focused targeting
Recruitment vector infection
Patience-based staged activation

This is a direct developer-layer attack bypassing enterprise perimeter defenses.

Source: https://www.bleepingcomputer.com/news/security/fake-job-recruiters-hide-malware-in-developer-coding-challenges/

Are dependency registries the new primary attack surface?
Engage below.

Follow @technadu for advanced threat analysis.

#ThreatIntel #SupplyChainSecurity #MalwareAnalysis #RAT #OpenSourceSecurity #DevSecOps #LazarusGroup #PackageSecurity #AppSec #BlueTeam #CyberThreats #IoC #Infosec