Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Execution/ T1059.001

T1059.001PowerShell

T1059.001 — PowerShell is a MITRE ATT&CK technique in the Execution tactic. Clankerusecase tracks 137 detection use cases covering it and 209 threat-intel articles citing it.

Execution
View on the matrix → Filter Detection Library MITRE official spec ↗
137Use cases
209Articles
0Sub-techniques
1Tactic
↑ Parent technique: T1059 · Command and Scripting Interpreter

Use cases covering this technique (137)

Fake CAPTCHA / clipboard-injected PowerShell (ClickFix / FakeCaptcha) Internal exploit · alerting DSΣP Office app spawning script/LOLBin child process Internal exploit · alerting DSΣP Phishing-link click correlated to endpoint execution Internal delivery · alerting DSP PowerShell encoded / obfuscated command Internal exploit · alerting DSΣP [WEEKLY] Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes Internal delivery · alerting DSPDD [WEEKLY] Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) Internal delivery · alerting DSΣPDD [WEEKLY] Developer/AI tooling runtime spawns shell or egress LOLBin (unauth RCE post-expl) Internal exploit · alerting DSPDDCS [WEEKLY] Developer package install spawning script-host with non-registry C2 within 5 minutes Internal install · alerting DSPDD [WEEKLY] Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution Internal exploit · alerting DSΣPDD [WEEKLY] Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress Internal exploit · alerting DSΣPDD [WEEKLY] npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules Internal install · alerting DSΣPDD [WEEKLY] Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access Internal install · alerting DSPDD [WEEKLY] Package-manager install-time interpreter spawn with credential-file read and outbound egress within 120s Internal install · alerting DSPDD [WEEKLY] Package manager lifecycle hook spawns network-fetching shell or runtime Internal install · alerting DSΣPDD [WEEKLY] Package manager lifecycle hook spawns runtime with outbound egress to non-registry host within 5 minutes Internal install · alerting DSPDD [WEEKLY] Script Interpreter or Package-Install Hook Egress to Free-Tier Edge SaaS Within 5 Minutes of Process Start Internal c2 · alerting DSΣPDD [WEEKLY] Self-hosted application service spawns shell or SSH within seconds of inbound unauthenticated API write Internal exploit · alerting DSPDD [WEEKLY] Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain Internal exploit · alerting DSΣPDD [WEEKLY] Service-process parent spawns subprocess containing CLI-argument-injection tokens Internal exploit · alerting DSΣPDD [WEEKLY] Web App Interpreter (Node/Python/Java/PHP) Spawns Shell or Net-Download LOLBin on Internet-Facing Host Internal exploit · alerting DSPDD Detect Certify With PowerShell Script Block Logging ESCU actions · alerting P Detect Empire with PowerShell Script Block Logging ESCU actions · alerting P Detect Mimikatz With PowerShell Script Block Logging ESCU actions · alerting P Exchange PowerShell Module Usage ESCU actions · alerting P Get-ForestTrust with PowerShell Script Block ESCU actions · alerting P GetLocalUser with PowerShell Script Block ESCU actions · hunting P GetWmiObject User Account with PowerShell Script Block ESCU actions · hunting P Malicious PowerShell Process - Execution Policy Bypass ESCU actions · hunting P Malicious PowerShell Process With Obfuscation Techniques ESCU actions · alerting P Nishang PowershellTCPOneLine ESCU actions · alerting P Possible Lateral Movement PowerShell Spawn ESCU actions · hunting P PowerShell 4104 Hunting ESCU actions · hunting P PowerShell - Connect To Internet With Hidden Window ESCU actions · hunting P Powershell COM Hijacking InprocServer32 Modification ESCU actions · alerting P Powershell Creating Thread Mutex ESCU actions · alerting P PowerShell Domain Enumeration ESCU actions · alerting P PowerShell Enable PowerShell Remoting ESCU actions · hunting P PowerShell Environment Variable Execution ESCU actions · hunting P Powershell Execute COM Object ESCU actions · alerting P Powershell Fileless Process Injection via GetProcAddress ESCU actions · alerting P Powershell Fileless Script Contains Base64 Encoded Content ESCU actions · alerting P Powershell Load Module in Meterpreter ESCU actions · alerting P PowerShell Loading DotNET into Memory via Reflection ESCU actions · hunting P PowerShell PInvoke Process Injection API Chain ESCU actions · alerting P Powershell Processing Stream Of Data ESCU actions · alerting P PowerShell Script Block With URL Chain ESCU actions · alerting P PowerShell Start or Stop Service ESCU actions · hunting P Powershell Using memory As Backing Store ESCU actions · alerting P PowerShell WebRequest Using Memory Stream ESCU actions · alerting P Recon Using WMI Class ESCU actions · hunting P Set Default PowerShell Execution Policy To Unrestricted or Bypass ESCU actions · alerting P Unloading AMSI via Reflection ESCU actions · alerting P Windows Account Access Removal via Logoff Exec ESCU actions · hunting P Windows Cobalt Strike PowerShell Loader ESCU actions · alerting P Windows Crowdstrike RTR Script Execution ESCU actions · hunting P Windows Default Cobalt Strike PowerShell Beacon ESCU actions · alerting P Windows Enable PowerShell Web Access ESCU actions · alerting P Windows Explorer.exe Spawning PowerShell or Cmd ESCU actions · hunting P Windows Explorer LNK Exploit Process Launch With Padding ESCU actions · alerting P Windows File Download Via PowerShell ESCU actions · hunting P Windows MSExchange Management Mailbox Cmdlet Usage ESCU actions · hunting P Windows Powershell Cryptography Namespace ESCU actions · hunting P Windows PowerShell FakeCAPTCHA Clipboard Execution ESCU actions · alerting P Windows PowerShell Get CIMInstance Remote Computer ESCU actions · hunting P Windows Powershell Import Applocker Policy ESCU actions · alerting P Windows PowerShell Invoke-RestMethod IP Information Collection ESCU actions · hunting P Windows PowerShell Invoke-Sqlcmd Execution ESCU actions · hunting P Windows Powershell Logoff User via Quser ESCU actions · hunting P Windows PowerShell Module File Created ESCU actions · hunting P Windows PowerShell MSIX Package Installation ESCU actions · alerting P Windows PowerShell Process Implementing Manual Base64 Decoder ESCU actions · hunting P Windows PowerShell Process With Malicious String ESCU actions · alerting P Windows Powershell RemoteSigned File ESCU actions · hunting P Windows PowerShell ScheduleTask ESCU actions · hunting P Windows PowerShell Script Block With Malicious String ESCU actions · alerting P Windows PowerShell Script From WindowsApps Directory ESCU actions · alerting P Windows PowerShell Script TabExpansion Direct Call ESCU actions · hunting P Windows PowerShell WMI Win32 ScheduledJob ESCU actions · alerting P Windows PowGoop Beacon Decoding ESCU actions · alerting P Windows Shell Process from CrushFTP ESCU actions · alerting P Windows Software Discovery Via PowerShell ESCU actions · hunting P Windows SSH Proxy Command ESCU actions · hunting P Windows Suspicious React or Next.js Child Process ESCU actions · alerting P Cisco Secure Firewall - Communication Over Suspicious Ports ESCU actions · hunting P Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity ESCU actions · alerting P CrushFTP Authentication Bypass Exploitation ESCU actions · alerting P Any Powershell DownloadFile ESCU actions · alerting P Any Powershell DownloadString ESCU actions · alerting P First time seen command line argument ESCU actions · hunting P Suspicious Powershell Command-Line Arguments ESCU actions · alerting P [LLM] splunkd spawning shell interpreters (CVE-2026-20253 post-exploit RCE) Bespoke install · alerting DSΣPDDCS [LLM] AI coding agent (Claude Code / Cursor / Codex) spawning shell that fetch-and-executes remote payload Bespoke install · alerting DSΣPDDCS [LLM] Shell/LOLBin spawned by LangGraph Python or Node runtime Bespoke install · alerting DSΣPDDCS [LLM] PowerShell process invoking LDAP:// with hardcoded plaintext credential Bespoke actions · alerting DSΣPDDCS [LLM] Self-hosted AI agent process spawns shell/curl/wget then executes the fetched payload Bespoke install · alerting DSΣPDDCS [LLM] Webserver / PHP interpreter spawns shell or LOLBin — post-upload RCE indicator Bespoke exploit · alerting DSΣPDDCS [LLM] FireAnt Metakit updater spawning unexpected child (supply-chain compromise) Bespoke delivery · hunting DSΣPDDCS [LLM] npm install lifecycle script spawns interpreter or network-fetcher child Bespoke install · alerting DSΣPDDCS [LLM] Chrome browser spawning LOLBin children post-V8 sandbox-escape (CVE-2026-11645) Bespoke exploit · hunting DSΣPDDCS [LLM] HTTP.sys / IIS w3wp.exe spawning shell or LOLBin (CVE-2026-47291 post-exploit) Bespoke exploit · alerting DSΣPDDCS [LLM] BEAM / Erlang VM spawns shell or interpreter child (post-RCE — CVE-2026-8467) Bespoke install · alerting DSΣPDDCS [LLM] WinRAR CVE-2025-8088 — archive tool writes payload to user Startup folder Bespoke install · alerting DSΣPDDCS [LLM] Startup LNK spawns cmd.exe → PowerShell in-memory DLL loader (GIFTEDCROOK chain) Bespoke install · alerting DSPDDCS [LLM] Web-server process (php-fpm / apache / nginx / w3wp) spawning shell or network tooling Bespoke exploit · hunting DSΣPDDCS Article-specific behavioural hunt — Hypotheses, telemetry, and human judgment: Inside Cisco Talos Threat Hunting Bespoke exploit · hunting DSP [LLM] PowerShell Invoke-WebRequest dropping script.ps1 to user AppData (KongTuke stage-2) Bespoke install · alerting DSΣPDDCS [LLM] mcp-remote OAuth authorization_endpoint RCE (CVE-2025-6514) — node spawning shell Bespoke exploit · alerting DSΣPDDCS [LLM] Argamal Scheduled Task Pointing at AppData\Local DLL via Color System Calibration Loader Bespoke install · alerting DSΣPDDCS [LLM] Downloader or shell child of npm/pip install (postinstall RAT loader) Bespoke install · alerting DSΣPDDCS [LLM] Post-exploit shell spawned by Vitest node.exe via rerun / saveTestFile (CVE-2026-47429) Bespoke exploit · alerting DSΣPDDCS [LLM] Node.js process spawning native shell / interpreter — post-vm2-escape host execution Bespoke exploit · alerting DSΣPDDCS [LLM] axios RAT Windows persistence: %PROGRAMDATA%\wt.exe drop + %TEMP%\6202033.vbs/.ps1 staging Bespoke install · alerting DSΣPDDCS [LLM] PowerShell-parented taskkill of winrar.exe (Cloud Atlas LNK anti-forensic cleanup) Bespoke install · alerting DSΣPDDCS [LLM] PowerShower dropped to user Pictures folder as googleearth.ps1 Bespoke install · alerting DSΣPDDCS [LLM] SSH process spawned by Kopia invokes a shell child (ProxyCommand execution) Bespoke install · alerting DSPDDCS [LLM] GlassFish java process spawning command shell (CVE-2026-2587 RCE) Bespoke exploit · alerting DSΣPDDCS [LLM] Apache Camel JVM spawning shell or command interpreter via camel-exec (CVE-2026-47323 post-exploit) Bespoke install · alerting DSΣPDDCS [LLM] MLflow server process spawning Claude Code CLI or shell — CVE-2026-2611 RCE chain Bespoke exploit · alerting DSΣPDDCS [LLM] Web-server process (w3wp/php/nginx) spawns shell or LOLBin (post-SSTI RCE chain) Bespoke exploit · alerting DSΣPDDCS [LLM] n8n Node.js parent spawning OS shell — post-exploit RCE indicator for CVE-2026-44791 Bespoke exploit · alerting DSΣPDDCS [LLM] Post-exploit RCE: node.js (n8n) spawning shell or scripting interpreter Bespoke install · alerting DSΣPDDCS Article-specific behavioural hunt — Kimsuky targets organizations with PebbleDash-based tools Bespoke exploit · hunting DSP [LLM] Kimsuky JSE dropper: wscript -> powershell hidden + certutil -decode chain Bespoke delivery · alerting DSΣPDD [LLM] Java/Tomcat process spawns OS command interpreter (post-Thymeleaf SSTI RCE) Bespoke actions · alerting DSΣPDDCS Article-specific behavioural hunt — axios Compromised on npm - Malicious Versions Drop Remote Access Trojan Bespoke exploit · hunting DSP [LLM] PowerShell masquerading as Windows Terminal at %PROGRAMDATA%\wt.exe (Axios RAT Windows stage) Bespoke install · alerting DSΣPDDCS [LLM] PowerShell copy masqueraded as Windows Terminal in %PROGRAMDATA% running 6202033.ps1 Bespoke install · alerting DSΣPDD Article-specific behavioural hunt — Glassworm Strikes Popular React Native Phone Number Packages Bespoke exploit · hunting DSP [LLM] MuddyWater SimpleHelp RMM client spawning shell or recon LOLBin Bespoke install · alerting DSΣP [LLM] Pastebin-piping stager retrieved from rentry.co/openclaw-core (macOS/Linux ClawHub skill) Bespoke delivery · alerting DSPDDCS Article-specific behavioural hunt — Fake Clawdbot VS Code Extension Installs ScreenConnect RAT Bespoke exploit · hunting DSP Article-specific behavioural hunt — G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets Bespoke exploit · hunting DSP Article-specific behavioural hunt — LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Ja Bespoke exploit · hunting DSP [LLM] NPM preinstall hook fetching Bun installer from bun.sh (Sha1-Hulud dropper) Bespoke delivery · alerting DSΣPDDCS [LLM] Node.js process spawning interactive shell — suspected post-exploit RCE on Next.js / RSC server Bespoke exploit · alerting DSΣPDDCS [LLM] Cursor IDE or VS Code spawning PowerShell/WScript from extensions folder (Solidity Language malware chain) Bespoke exploit · alerting DSΣPDDCS [LLM] Tomcat/Java process spawns OS shell or LOLBin (post-webshell RCE) Bespoke actions · alerting DSΣPDDCS

Articles citing this technique (209)

high FBI disrupts massive AI-powered phishing service using a million URLs art-01
med New Agentjacking Attack Hijacks Your AI Coding Agent to Run Code From a Hacker’s Server art-06
crit Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication art-09
crit Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered art-15
high Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit art-17
high Google Sues Chinese Smishing Network Accused of Using Gemini AI in Phishing art-18
crit China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade art-22
med Hackers Abuse Legitimate NinjaOne RMM Software to Bypass Traditional Malware Detection art-23
high Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code art-28
crit Rethinking MDR as Attackers and Defenders Embrace AI art-30
crit LangGraph Flaw Chain Exposes Self-Hosted AI Agents to Remote Code Execution art-32
high INTERPOL Operation Takes Down Sniper Dz Phishing Platform, Arrests Administrator art-33
med Over 73,000 French govt employees affected in Tchap messenger breach art-35
high Europol Disrupts AudiA6 Crypto Laundering Service Used by Ransomware Gangs art-36
crit ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities art-37
high New Attacks Trick OpenClaw AI Agent Into Running Code and Leaking Secrets art-41
crit New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files art-42
crit [GHSA / CRITICAL] CVE-2026-48062: CodeIgniter4 has a validation bypass when uploading file extensions via `ext_in` rule art-43
crit The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm art-44
high Miasma and Hades Are Spreading Now: Detect Them on Developer Machines with Suspicious Files art-45
high npm v12 delivers one of the biggest security improvements in years art-46
crit Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories art-48
high AI Broke Vulnerability Management. That's Why CISOs Are Moving Budget to BAS. art-51
crit OceanLotus Hits Vietnam Investors With SPECTRALVIPER in FireAnt Attack art-53
crit OceanLotus: From external espionage to domestic targeting art-54
high GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks art-55
crit China-Linked JDY Botnet Expands to 1,500+ Devices for Cyber Reconnaissance art-59
crit Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities art-61
crit Langflow Vulnerability CVE-2026-5027 Exploited for Unauthenticated RCE art-62
crit Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs art-67
crit Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows art-71
high Blinding the Watchmen: Abusing Cloud Logging Services for Defense Evasion and Visibility art-74
crit [GHSA / CRITICAL] CVE-2026-8467: PhoenixStorybook: Unauthenticated remote code execution via HEEx template injection in phoenix_storybook pl art-75
high Pythagora-io/gpt-pilot Compromised on GitHub - Shai-Hulud Credential Stealer Blocked by Python Linter art-78
crit Miasma Worm Hits Microsoft Again: Azure Functions Action and 72 Other Repositories Disabled After Supply Chain Attack Targeting AI Coding Ag art-79
high Meta to Use Off-Site Business Data for Feed and AI Personalization art-81
crit Microsoft Restores Some GitHub Repos, Keeps Others Offline as Miasma Probe Continues art-82
crit Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now art-84
crit Wait, binding.gyp Can Do What? Exploring npm's Weirdest Build System art-85
crit WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine art-86
crit Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models art-87
crit New FROST Attack Lets Websites Track What Sites and Apps You Open via SSD Timing art-89
high Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer art-90
crit LiteLLM Flaw CVE-2026-42271 Exploited in the Wild, Chains to Unauthenticated RCE art-92
high When “Hi, This Is IT” Comes Through Microsoft Teams art-98
crit [GHSA / CRITICAL] CVE-2026-45034: PHPSpreadsheet has a patch bypass for CVE-2026-34084 art-99
crit One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public art-100
crit Meta Blocks NSO Group's New WhatsApp Phishing Attack, Files Contempt Order art-101
crit AI brands as bait: How threat actors are using the AI hype in social engineering art-102
crit AI Phishing Is Crushing SOCs with Alert Volume: How to Reduce Tier 1 Overload art-103
crit VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances art-107
crit UNC3753 Used Vishing and Physical Intrusions in U.S. Data Theft Extortion Campaign art-108
high Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI art-114
high Securing CI/CD in an agentic world: Claude Code Github action case art-117
high Reporting from Vegas: Networking, AI, and good boys art-126
crit Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp art-127
high Hypotheses, telemetry, and human judgment: Inside Cisco Talos Threat Hunting art-129
high Node-gyp Supply Chain Compromise: A Self-Propagating npm Worm That Hides in binding.gyp art-130
high So You Have an AI Security Budget. Now what? art-131
med Type Level Security: The future of secure AI code generation? art-132
high Argamal: Malware hidden in hentai games art-137
crit Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign art-139
high Why EDR and proxy won’t save you from supply chain malware art-142
crit The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2) art-143
high Multiple redhat-cloud-services npm Packages compromised art-144
high Nx Console VS Code Extension Compromised art-146
crit Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor art-150
crit [GHSA / CRITICAL] CVE-2026-47429: When Vitest UI server is listening, arbitrary file can be read and executed art-157
high Miasma supply chain attack: malicious code found in @redhat-cloud-services npm packages art-159
crit Malicious npm packages abuse dependency confusion to profile developer environments art-161
crit [GHSA / CRITICAL] CVE-2026-47392: PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subpro art-166
crit [GHSA / CRITICAL] CVE-2026-47140: NodeVM builtin denylist bypass via process and inspector/promises allows host code execution art-173
high Typosquatted npm packages used to steal cloud and CI/CD secrets art-183
high What MDM can't protect on developer machines (and what to do about it) art-186
crit 2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface art-187
crit ESET APT Activity Report Q4 2025–Q1 2026 art-189
med Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years art-190
crit Out of the Crypt: The Evolving Cyber Extortion Economy art-193
crit CISA KEV: CVE-2026-48027 — Nx Console Embedded Malicious Code Vulnerability art-203
crit BTMOB: A stealthy RAT burrowing deep into Android devices art-209
crit Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns art-217
crit Paved With Intent: ROADtools and Nation-State Tactics in the Cloud art-218
crit Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload art-219
med Foul play: Fake FIFA websites target soccer fans looking for World Cup tickets, merchandise art-220
crit The Wild West of VS Code extensions and how a poisoned extension breached GitHub art-236
crit Tracking TamperedChef Clusters via Certificate and Code Reuse art-237
crit Webworm: New burrowing techniques art-240
crit [GHSA / CRITICAL] CVE-2026-45695: Kopia: RCE via SSH ProxyCommand Injection art-252
crit [GHSA / CRITICAL] CVE-2026-2587: GlassFish's gadget handler is vulnerable to RCE art-257
crit [GHSA / CRITICAL] CVE-2026-47323: Camel-CXF and Camel-Knative Message Header are Vulnerable to Injection via Missing Inbound Filtering art-259
crit [GHSA / CRITICAL] CVE-2026-2611: MLflow: Improper Origin Validation in MLflow Assistant /ajax-api Endpoints Enables Browser-Mediated Local C art-264
crit Mini Shai-Hulud strikes again: npm worm compromises hundreds of @antv packages art-267
crit Active Supply Chain Attack: Malicious node-ipc Versions Published to npm art-269
crit Mini Shai-Hulud Hits AntV: 300+ Malicious npm Packages Published via Compromised Maintainer Account art-270
crit [GHSA / CRITICAL] CVE-2026-45697: Formie: Pre-authenticated server-side template injection in Hidden fields art-273
high Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files art-281
crit Malicious node-ipc versions published to npm in suspected maintainer account compromise art-284
crit [GHSA / CRITICAL] CVE-2026-45369: utcp-cli Vulnerable to Command Injection via Unsanitized Argument Substitution in CLI Communication Protoc art-288
crit [GHSA / CRITICAL] CVE-2026-45311: DeepSeek TUI: run_tests Tool Enables RCE via Malicious Repository Without Approval art-293
high The time of much patching is coming art-296
crit [GHSA / CRITICAL] CVE-2026-44791: n8n Has an XML Node Prototype Pollution Patch Bypass art-299
crit [GHSA / CRITICAL] CVE-2026-44789: n8n: HTTP Request Node Pagination Prototype Pollution to RCE art-301
crit Kimsuky targets organizations with PebbleDash-based tools art-308
crit FrostyNeighbor: Fresh mischief and digital shenanigans art-309
crit TeamPCP's Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Compromises TanStack npm Packages art-312
crit Mini Shai-Hulud Is Back: npm Worm Hits over 160 Packages, including Mistral and Tanstack art-315
crit Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools art-316
crit TanStack Npm Packages Compromised Inside The Mini Shai Hulud Supply Chain Attack art-318
crit PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale art-322
crit Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution art-325
crit A rigged game: ScarCruft compromises gaming platform in a supply-chain attack art-332
crit Shai-Hulud Worm Pivots to Multi-Cloud: intercom-client@7.0.4 Hijacked — 361,000 Weekly Downloads, AWS, GCP, and Azure Credentials Now in Sco art-333
crit Bitwarden CLI Hijacked on npm: Bun-Staged Credential Stealer Targets Developers, GitHub Actions, and AI Tools art-335
crit CanisterSprawl: pgserve Compromised on npm: Malicious Versions Harvest Credentials and Exfiltrate to a Decentralized ICP Canister art-336
crit lightning PyPI Compromise: A Bun-Based Credential Stealer in Python art-343
crit Mini Shai-Hulud Targets SAP npm Packages With a Bun-Based Secret Stealer art-345
high Someone published four versions of a fake "tanstack" package in 27 minutes to steal your .env files art-346
high "A Mini Shai-Hulud Has Appeared": Bun-Based Stealer Hits SAP @cap-js and mbt npm Packages art-348
high Don't Panic: The Thymeleaf Template Injection That Only Hurts If You Let It (CVE-2026-40478) art-349
high Malicious Release of elementary-data PyPI Package Steals Cloud Credentials from Data Engineers art-352
high It's time to treat browser extensions like supply chain attack vectors art-354
crit fast16 | Mystery Shadow Brokers Reference Reveals High-Precision Software Sabotage 5 Years Before Stuxnet art-360
high Is Shai-Hulud Back? Compromised Bitwarden CLI Contains a Self-Propagating npm Worm art-361
crit New NGate variant hides in a trojanized NFC payment app art-369
crit What the ransom note won’t say art-370
crit axios Compromised on npm - Malicious Versions Drop Remote Access Trojan art-401
high As breakout time accelerates, prevention-first cybersecurity takes center stage art-408
high Malicious IoliteLabs VSCode Extensions Target Solidity Developers on Windows, macOS, and Linux with Backdoor art-412
crit TeamPCP Plants WAV Steganography Credential Stealer in telnyx PyPI Package art-413
high Axios npm Package Compromised: Supply Chain Attack Delivers Cross-Platform RAT art-420
high axios compromised on npm: maintainer account hijacked, RAT deployed art-421
crit litellm: Credential Stealer Hidden in PyPI Wheel art-423
crit Popular telnyx package compromised on PyPI by TeamPCP art-425
high A cunning predator: How Silver Fox preys on Japanese firms this tax season art-426
high CanisterWorm: How a Self-Propagating npm Worm Is Spreading Backdoors Across the Ecosystem art-429
crit bittensor-wallet 4.0.2 Compromised on PyPI - Backdoor Exfiltrates Private Keys art-431
high Malicious npm Releases Found in Popular React Native Packages - 130K+ Monthly Downloads Compromised art-432
crit Malicious Polymarket Bot Hides in Hijacked dev-protocol GitHub Org and Steals Wallet Keys art-433
crit ForceMemo: Hundreds of GitHub Python Repos Compromised via Account Takeover and Force-Push art-434
high xygeni-action Compromised: C2 Reverse Shell Backdoor Injected via Tag Poisoning art-435
crit How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM art-443
crit EDR killers explained: Beyond the drivers art-455
crit GlassWorm Hides a RAT Inside a Malicious Chrome Extension art-458
crit fast-draft Open VSX Extension Compromised by BlokTrooper art-459
crit Securing the Agent Skills Registry: How Snyk and Tessl Are Setting the Standard art-465
high Glassworm Strikes Popular React Native Phone Number Packages art-466
high DRILLAPP: new backdoor targeting Ukrainian entities with possible links to Laundry Bear art-470
crit Cyber fallout from the Iran war: What to have on your radar art-474
crit Sednit reloaded: Back in the trenches art-477
crit Protecting education: How MDR can tip the balance in favor of schools art-491
crit PlugX Meeting Invitation via MSBuild and GDATA art-503
high 20+ Popular NPM Packages Compromised (Chalk, Debug, Strip-ANSI, Color-Convert, Wrap-ANSI...) art-537
crit Operation MacroMaze: new APT28 campaign using basic tooling and legit infrastructure art-542
crit Naming and shaming: How ransomware groups tighten the screws on victims art-544
crit Another npm Supply Chain Attack: The 'is' Package Compromise art-554
high Why Your “Skill Scanner” Is Just False Security (and Maybe Malware) art-561
crit How a Malicious Google Skill on ClawHub Tricks Users Into Installing Malware art-564
crit Snyk Finds Prompt Injection in 36%, 1467 Malicious Payloads in a ToxicSkills Study of Agent Skills Supply Chain Compromise art-574
high npx Confusion: Packages That Forgot to Claim Their Own Name art-578
crit DynoWiper update: Technical analysis and attribution art-590
med Love? Actually: Fake dating app used as lure in targeted spyware campaign in Pakistan art-593
high Fake Clawdbot VS Code Extension Installs ScreenConnect RAT art-594
high G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets art-604
high Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages art-605
crit Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT art-608
high The Holiday Whisper: Shai-Hulud 3.0 art-635
crit LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan art-642
crit ESET Threat Report H2 2025 art-647
high How Harden Runner Detected the Sha1-Hulud Supply Chain Attack in CNCF's Backstage Repository art-652
high Sha1-Hulud: The Second Coming - Zapier, ENS Domains, and Other Prominent NPM Packages Compromised art-653
crit Supply Chain Security Alert: eslint-config-prettier Package Shows Signs of Compromise art-654
high Security Advisory: Critical RCE Vulnerabilities in React Server Components (CVE-2025-55182) art-673
high SHA1-Hulud, npm supply chain incident art-686
crit Shai-Hulud: Self-Replicating Worm Compromises 500+ NPM Packages art-690
med Why Threat Modeling Is Now Even More Critical for AI-Native Applications art-694
crit PlushDaemon compromises network devices for adversary-in-the-middle attacks art-695
crit ESET APT Activity Report Q2 2025–Q3 2025 art-715
high How MDR can give MSPs the edge in a competitive market art-730
crit Gotta fly: Lazarus targets the UAV sector art-734
crit SnakeStealer: How it preys on personal data – and how you can protect yourself art-736
crit Phishing Campaign Leveraging the NPM Ecosystem art-754
crit CISA KEV: CVE-2011-3402 — Microsoft Windows Remote Code Execution Vulnerability art-762
high Zero-day Extensive NPM Package Compromise - Shai Hulud Supply Chain Attack art-789
high npm Supply Chain Attack via Open Source maintainer compromise art-794
high Weaponizing AI Coding Agents for Malware in the Nx Malicious Package Security Incident art-806
crit Lessons from AWS CodeBuild’s Memory-Dump Incident (CVE-2025-8217) art-823
high Snyk Joins CISA's Secure by Design Pledge art-828
crit Maintainers of ESLint Prettier Plugin Attacked via npm Supply Chain Malware art-837
high Cursor IDE Malware Extension Compromise in $500k Crypto Heist art-842
low AI Trust in Action: How Snyk Agent Redefines Secure Development art-885
med Securing GenAI Development with Snyk art-1035
crit CISA KEV: CVE-2024-55956 — Cleo Multiple Products Unauthenticated File Upload Vulnerability art-1051
high The persistent threat: Why major vulnerabilities like Log4Shell and Spring4Shell remain significant art-1165
crit CISA KEV: CVE-2024-4879 — ServiceNow Improper Input Validation Vulnerability art-1200
high A stepping stone towards holistic application risk and compliance management of the Digital Operational Resiliency Act (DORA) art-1211
crit Polyfill supply chain attack embeds malware in JavaScript CDN assets art-1218
med Preventing broken access control in express Node.js applications art-1243
high Snyk AppRisk Pro: A holistic approach to application risk management art-1252
high Building an npm package compatible with ESM and CJS in 2024 art-1258
high Exploiting HTTP/2 CONTINUATION frames for DoS attacks art-1265
high GitHub “besieged” by malware repositories and repo confusion: Why you'll be ok art-1272
crit Snyk Learn and the NIST Cybersecurity Framework (CSF) art-1274
high Defense in Depth art-1278
crit New Year's security resolutions for 2024 from Snyk DevRel, SecRel, and friends art-1294
crit Krampus delivers an end-of-year Struts vulnerability art-1300
high Cybersecurity Venture’s 2023 Software Supply Chain Attack Report art-1362
high Modern VS Code extension development tutorial: Building a secure extension art-1369
high XS leaks: What they are and how to avoid them art-1419
med Building a security-conscious CI/CD pipeline art-1423