Four published versions of a fake "tanstack" package uploaded in 27 minutes that want to steal your .env files

An attacker registered the unscoped 'tanstack' name on npm and published four malicious versions (2.0.4-2.0.7) within 27 minutes on April 29, 2026. These packages contained postinstall hooks that automatically exfiltrated environment files containing sensitive credentials when developers ran npm install. The attacker exploited name confusion with the legitimate @tanstack organization, which publishes widely-used JavaScript libraries. The malicious code targeted .env files, stealing AWS keys, API tokens, database credentials, and OAuth secrets by sending them to an attacker-controlled Svix webhook endpoint. Version 2.0.6 was particularly dangerous, sweeping all .env variants in the working directory. The version history reveals live debugging by the attacker, who iteratively refined the payload targeting and stealth capabilities while the package remained publicly available with approximately 19,830 monthly downloads.

Pulse ID: 69f9fed3a3c5ca9c78a875a9
Pulse Link: https://otx.alienvault.com/pulse/69f9fed3a3c5ca9c78a875a9
Pulse Author: AlienVault
Created: 2026-05-05 14:29:39

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #CyberSecurity #Endpoint #InfoSec #Java #JavaScript #NPM #OTX #OpenThreatExchange #RAT #Troll #bot #developers #AlienVault

PhantomRaven Wave 5: New Undocumented NPM Supply Chain Campaign Targets DeFi, Cloud, and AI Developers

A fifth wave of the PhantomRaven NPM supply chain attack campaign has been discovered, utilizing 33 new malicious packages and fresh command-and-control infrastructure registered on March 10, 2026. The operation employs a sophisticated three-stage payload delivery mechanism using Remote Dynamic Dependency techniques to bypass static analysis. Malicious packages self-reference dependencies pointing to attacker-controlled servers at pack[.]nppacks[.]com, which deliver droppers that harvest developer credentials, system information, CI/CD tokens, GitHub repository names, and email addresses from Git configurations, NPM settings, and environment variables. The campaign specifically targets DeFi cryptocurrency developers, cloud infrastructure engineers working with Azure CDK, and AI application developers. All collected data is exfiltrated via POST requests to mozbra.php on the C2 server. Infrastructure analysis reveals connections to a legitimate Pakistani IT services company domain, suggesting potential accou...

Pulse ID: 69f8acdd6038448e350edbb9
Pulse Link: https://otx.alienvault.com/pulse/69f8acdd6038448e350edbb9
Pulse Author: AlienVault
Created: 2026-05-04 14:27:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Azure #Cloud #CyberSecurity #ELF #Email #GitHub #InfoSec #NPM #OTX #OpenThreatExchange #PHP #Pakistan #RAT #SupplyChain #Troll #bot #cryptocurrency #developers #AlienVault

Mini Shai-Hulud Spreads to Packagist: Malicious Intercom PHP Package Follows npm Compromise

A malicious artifact of the widely-used intercom/intercom-php package version 5.0.2 was discovered on Packagist, representing an expansion of the Mini Shai-Hulud supply chain attack from npm into the PHP ecosystem. The compromised package exploits Composer plugin execution to download Bun runtime and execute an obfuscated credential-stealing payload during installation. The malicious code harvests sensitive credentials including GitHub tokens, cloud provider credentials, SSH keys, Kubernetes tokens, and HashiCorp Vault secrets from developer machines and CI/CD environments. Stolen data is encrypted using AES-256-GCM and exfiltrated to attacker-controlled infrastructure. The payload also contains propagation logic to modify GitHub repositories and npm packages using stolen credentials. With approximately 12,700 daily installs, the compromised artifact potentially reached numerous high-value development environments before removal.

Pulse ID: 69f4696df292a40fd0caa46d
Pulse Link: https://otx.alienvault.com/pulse/69f4696df292a40fd0caa46d
Pulse Author: AlienVault
Created: 2026-05-01 08:50:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #GitHub #InfoSec #Mac #NPM #OTX #OpenThreatExchange #PHP #RAT #SSH #SupplyChain #Troll #bot #AlienVault

https://www.youtube.com/watch?v=-akjEcxyQfM

these guys need to quit the oil business and build their own hollywood.
#iran #lego #troll #movies

Innerhalb kurzer Zeit sehe ich via #BlueskyBridge und #Mastodon immer neue #Threema-#Troll-Accounts, auf verschiedensten Instanzen, die immer wieder nach dem gleichen Muster agieren. Codes für Threema verschenken (wirkt teilweise wie offizielle Marketing Aktionen), aber sonst sehr bösartig daherkommen und andere angreifen, beleidigen und Unwahrheiten behaupten. 😕

Große Bitte an euch, diesen Accounts keine Reichweite bieten auch wenn diese euch als Gegenleistung irgendwas schenken wollen ...

Oh look! #Python #GYLPH thought he was secretly ripping my project apart with his up-acting gaggle of self obsessed #elites, but he instead became an #exposed #troll shrivelled in the light of day.

#Accountability is a bitch. They just saw an easy 'victim', or so they surmised. Sirs and Ma'ams, you were mistaken. 'Joyful-Discoverer-Gylph' only found what I had placed in plain view. #Burn

https://mastodon.social/@glyph/115452658138339709
9 boosts 21 favourites

Help by boosting his original post maybe? #OpenSource #Art