New burrowing techniques

Webworm is a China-aligned APT group that has evolved its tactics since first being discovered in 2022, shifting focus from Asian targets to European governmental organizations. In 2025, the group deployed two new backdoors: EchoCreep, which uses Discord for command and control, and GraphWorm, which leverages Microsoft Graph API. Researchers decrypted over 400 Discord messages revealing four victims and analyzed a compromised Amazon S3 bucket used for data exfiltration. The group stages tools in GitHub repositories and uses multiple custom proxy solutions including WormFrp, ChainWorm, SmuxProxy, and WormSocket to create hidden networks. Webworm appears to exploit web vulnerabilities using tools like nuclei and dirsearch for initial access, targeting government entities and educational institutions across Europe and South Africa.

Pulse ID: 6a0df33ecc667be61a0a9608
Pulse Link: https://otx.alienvault.com/pulse/6a0df33ecc667be61a0a9608
Pulse Author: AlienVault
Created: 2026-05-20 17:45:34

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Africa #Amazon #Asia #BackDoor #China #CyberSecurity #Discord #Education #Europe #GitHub #Government #ICS #InfoSec #Microsoft #OTX #OpenThreatExchange #Proxy #RAT #Worm #bot #AlienVault

The Worm That Keeps on Digging: Latest Wave

A sophisticated supply chain campaign targeting the open source developer ecosystem has emerged, compromising NPM packages in the @antv namespace, GitHub Actions including actions-cool/issues-helper, and the VSCode extension nrwl.angular-console. The malware initiates multi-stage infection chains using GitHub-hosted infrastructure and orphaned commits to deploy payloads via bun. It harvests extensive credentials including GitHub tokens, SSH keys, cloud credentials, and browser secrets, exfiltrating data through attacker-controlled public GitHub repositories. The campaign establishes persistence through a Python backdoor that polls GitHub for signed commands containing specific trigger strings, enabling remote code execution. Infrastructure analysis and operational patterns indicate moderate confidence attribution to the threat actor TeamPCP.

Pulse ID: 6a0c5b666ccb232590e33087
Pulse Link: https://otx.alienvault.com/pulse/6a0c5b666ccb232590e33087
Pulse Author: AlienVault
Created: 2026-05-19 12:45:26

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #Cloud #CyberSecurity #GitHub #InfoSec #Malware #NPM #OTX #OpenThreatExchange #Python #RAT #RCE #RemoteCodeExecution #SSH #SupplyChain #Troll #Worm #bot #AlienVault

Inside a Tor Backed Supply Chain Worm

A sophisticated npm supply chain attack was uncovered involving the typosquatted package crypto-javascri, designed to mimic the legitimate crypto-js library. The malware harvests npm and GitHub credentials from infected systems, hijacks maintainer accounts, and automatically republishes trojanized versions of packages under trusted identities. The final payload incorporates a weaponized Arti Tor client with credential theft, cryptomining capabilities, privilege escalation via SUID exploitation, and systemd-based persistence mechanisms. The campaign specifically targets Linux developer systems and CI/CD environments, using Tor-based command-and-control infrastructure to maintain anonymity and resilience. The attack creates significant downstream supply chain risk through its worm-like propagation model.

Pulse ID: 6a0d970b3015e77563f4a9fa
Pulse Link: https://otx.alienvault.com/pulse/6a0d970b3015e77563f4a9fa
Pulse Author: AlienVault
Created: 2026-05-20 11:12:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CryptoMining #CyberSecurity #GitHub #InfoSec #Java #Linux #Malware #Mimic #NPM #OTX #OpenThreatExchange #RAT #Rust #SMS #SupplyChain #Trojan #Worm #bot #AlienVault

Copycat hits another npm package

A Shai-Hulud copycat worm has infected the npm package chalk-tempalte, appearing just five days after the original worm was open-sourced by its creators. The same threat actor also published three additional malicious npm packages containing infostealer code: @deadcode09284814/axios-util, axois-utils, and color-style-utils. These packages collectively received 2,678 weekly downloads and contain various malicious capabilities including credential theft, cryptocurrency wallet exfiltration, cloud configuration harvesting, and DDoS botnet functionality. The malware exfiltrates stolen data to remote command-and-control servers and uploads credentials to GitHub repositories. Researchers indicate the attacker operates from a home computer or local server farm and appears financially motivated, targeting victims' cryptocurrency assets while potentially offering DDoS-as-a-service capabilities.

Pulse ID: 6a0b921d3574a6ef2eca8d47
Pulse Link: https://otx.alienvault.com/pulse/6a0b921d3574a6ef2eca8d47
Pulse Author: AlienVault
Created: 2026-05-18 22:26:37

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #DDoS #DoS #GitHub #InfoSec #InfoStealer #Malware #NPM #OTX #OpenThreatExchange #RAT #RCE #Worm #bot #botnet #cryptocurrency #iOS #AlienVault

Active Supply Chain Attack Compromises Packages on npm

An active npm supply chain attack has compromised packages in the @antv ecosystem, affecting the maintainer account 'atool'. The attack is part of the Mini Shai-Hulud campaign, involving 639 compromised package versions across 323 unique packages. Notable affected packages include echarts-for-react with 1.1 million weekly downloads, and widely-used @antv packages for data visualization. The malware uses obfuscated install-time payloads that harvest developer credentials, GitHub tokens, npm tokens, AWS credentials, and other secrets from development and CI/CD environments. Stolen data is encrypted with AES-256-GCM and exfiltrated to a command-and-control server, with GitHub repositories used as fallback channels. The malware contains worm-like functionality to republish compromised packages and propagate through the npm ecosystem.

Pulse ID: 6a0c1b289f4fe8b7bdf00a84
Pulse Link: https://otx.alienvault.com/pulse/6a0c1b289f4fe8b7bdf00a84
Pulse Author: AlienVault
Created: 2026-05-19 08:11:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #CyberSecurity #GitHub #InfoSec #Malware #NPM #OTX #OpenThreatExchange #RAT #SupplyChain #Worm #bot #AlienVault

Empezando la semana con el Necropalace de los #Worm. Cada vez que lo escucho me gusta más, discazo.

https://wormgloom.bandcamp.com/album/necropalace-24-bit-hd-audio

Seedworm Launches Global Espionage Campaign Abusing Signed Binaries and Node.js Orchestration

Pulse ID: 6a0954ff8b83b84d3ddeba4f
Pulse Link: https://otx.alienvault.com/pulse/6a0954ff8b83b84d3ddeba4f
Pulse Author: cryptocti
Created: 2026-05-17 05:41:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Espionage #InfoSec #Nodejs #OTX #OpenThreatExchange #RAT #SeedWorm #Worm #bot #cryptocti

🔥 TRENDING

📢 Mini Shai-Hulud: The Worm Returns and Goes Public

🔗 https://www.akamai.com/blog/security-research/2026/may/mini-shai-hulud-worm-returns-goes-public

#Mini #Shai-hulud #Worm #Returns #GlobalFeed #News #EN

<i>Automatically posted by Global Feed Bot</i>

Because people (nobody really) are asking me:

"Can you explain #Parahumans / #Worm to me in as few lines as possible?"

sure!

see, it's always about bleak outlook and escalation It starts nice and cozy with bad school bullies, only like… 'attempted murder'-bad.

But it moves from that onto 'Superheroes vs. Villains' (again, starting easy by human trafficing villain/dragon trying to kill a couple of teenagers, resulting in only some mutilation instead) and towards prevention of city wide disasters pretty fast.

Where do you go from city wide disasters? Of course to "humanity will die out soon"!

So hundred things, each impossible to prevent and each will end mankind soon by force.

Well end then you get the interdimmensional space whales and the end of all possible worlds and the last epic fight of everyone (can't have heroes and villains working together without some nice self-mutilation and mind rape).

All that over epic length and graphic detail.

And then, when it's finally over and there's some non-bleak outlook? Then that's the perfect place to start the second part #Ward!