npm nuked every granular access token that bypasses 2FA after another Mini Shai-Hulud wave compromised hundreds of packages. Good news: staged publishing is now in public preview.

https://socket.dev/blog/npm-invalidates-tokens-mini-shai-hulud #NodeJS #JavaScript

Ghost CMS Mass Compromised via CVE-2026-26980, Now Fueling ClickFix Attacks

Attackers exploited CVE-2026-26980, a critical SQL injection vulnerability in Ghost CMS, to obtain Admin API Keys without authorization and conduct mass website poisoning campaigns. Over 700 domains across multiple industries including universities, blockchain, AI, security research, and media were compromised. The attack chain involves CMS takeover, page poisoning with malicious JavaScript loaders, two-stage cloaking scripts, and FakeCaptcha social engineering to trick users into executing malicious commands. Two distinct threat groups are actively exploiting unpatched Ghost CMS installations, delivering information stealers and remote access tools. Compromised sites include Harvard University, Oxford University, and Auburn University. The attacks leverage users' trust in legitimate websites to increase success rates of ClickFix-type attacks, with payloads being dynamically distributed through Cloudflare-proxied domains.

Pulse ID: 6a0f06676dfe8431915ed38a
Pulse Link: https://otx.alienvault.com/pulse/6a0f06676dfe8431915ed38a
Pulse Author: AlienVault
Created: 2026-05-21 13:19:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BlockChain #CAPTCHA #Cloud #CyberSecurity #InfoSec #Java #JavaScript #OTX #OpenThreatExchange #RAT #Rust #SQL #SocialEngineering #Vulnerability #bot #AlienVault

PureLogs: Delivery via PawsRunner Steganography

Attackers are concealing .NET infostealers within seemingly innocuous images to evade detection. A phishing campaign uses TXZ archive attachments with invoice-themed lures to initiate infection. The embedded JavaScript leverages environment variables to hide malicious commands, launching PowerShell to decode and decrypt payloads. PawsRunner, a steganography loader, extracts encrypted data from PNG images containing cat photos. This loader evolved from simple PE downloads to sophisticated steganographic extraction with fallback mechanisms. The final payload, PureLogs version 5.0.0, is a comprehensive infostealer from the Pure family that harvests credentials from browsers, cryptocurrency wallets, password managers, communication apps, and other applications. It employs extensive async/await patterns and communicates with command and control infrastructure via HTTPS using multiple endpoints to exfiltrate encrypted and compressed stolen data.

Pulse ID: 6a0f272cd9c82db936e6a249
Pulse Link: https://otx.alienvault.com/pulse/6a0f272cd9c82db936e6a249
Pulse Author: AlienVault
Created: 2026-05-21 15:39:24

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #Browser #CyberSecurity #Endpoint #HTTP #HTTPS #InfoSec #InfoStealer #Java #JavaScript #NET #OTX #OpenThreatExchange #Password #Phishing #PowerShell #RAT #SMS #Steganography #Word #bot #cryptocurrency #AlienVault

Mini Shai Hulud: Compromised @antv npm packages enable CI/CD credential theft

Microsoft identified an active supply chain attack targeting the @antv npm package ecosystem. A threat actor compromised an @antv maintainer account and published malicious versions of widely used data-visualization packages, affecting libraries like echarts-for-react with over 1 million weekly downloads. The attack propagates through dependency chains into CI/CD pipelines and cloud workloads. A 499 KB obfuscated JavaScript payload executes silently during npm install, specifically designed to steal credentials from GitHub Actions environments. Key capabilities include multi-platform credential theft (GitHub, AWS, HashiCorp Vault, npm, Kubernetes, 1Password), GitHub Action Runner process memory scraping, privilege escalation, dual-channel data exfiltration, and SLSA provenance forgery. The payload targets CI/CD environments deliberately, with over 2,200 compromised repositories observed. GitHub responded by removing 640 malicious packages and invalidating 61,274 npm tokens.

Pulse ID: 6a0e3751a23f1487cbb26ac5
Pulse Link: https://otx.alienvault.com/pulse/6a0e3751a23f1487cbb26ac5
Pulse Author: AlienVault
Created: 2026-05-20 22:36:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #Cloud #CyberSecurity #GitHub #InfoSec #Java #JavaScript #Microsoft #NPM #OTX #OpenThreatExchange #Password #RAT #SupplyChain #Word #bot #AlienVault