Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Execution/ T1059.004

T1059.004Unix Shell

T1059.004 — Unix Shell is a MITRE ATT&CK technique in the Execution tactic. Clankerusecase tracks 113 detection use cases covering it and 75 threat-intel articles citing it.

Execution
View on the matrix → Filter Detection Library MITRE official spec ↗
113Use cases
75Articles
0Sub-techniques
1Tactic
↑ Parent technique: T1059 · Command and Scripting Interpreter

Use cases covering this technique (113)

[WEEKLY] Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) Internal delivery · alerting DSΣPDD [WEEKLY] Developer/AI tooling runtime spawns shell or egress LOLBin (unauth RCE post-expl) Internal exploit · alerting DSPDDCS [WEEKLY] Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint Internal exploit · alerting DSPDD [WEEKLY] Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) Internal install · alerting DSΣPDD [WEEKLY] Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution Internal exploit · alerting DSΣPDD [WEEKLY] Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress Internal exploit · alerting DSΣPDD [WEEKLY] Package install lifecycle hook spawns interpreter that reads developer credential stores Internal install · alerting DSPDDCS [WEEKLY] Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access Internal install · alerting DSPDD [WEEKLY] Package-Manager Install -> Interpreter Child -> Non-Registry Egress Within 5 Minutes Internal install · alerting DSPDD [WEEKLY] Package manager lifecycle hook spawns network-fetching shell or runtime Internal install · alerting DSΣPDD [WEEKLY] Package manager spawns network-fetching child to public code-hosting within minutes of install Internal install · alerting DSPDD [WEEKLY] Self-hosted application service spawns shell or SSH within seconds of inbound unauthenticated API write Internal exploit · alerting DSPDD [WEEKLY] Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain Internal exploit · alerting DSΣPDD [WEEKLY] Service-process parent spawns subprocess containing CLI-argument-injection tokens Internal exploit · alerting DSΣPDD [WEEKLY] Web App Interpreter (Node/Python/Java/PHP) Spawns Shell or Net-Download LOLBin on Internet-Facing Host Internal exploit · alerting DSPDD [WEEKLY] Web-Server Process Post-Exploit Anchor: Plugin/Extension RCE Leading to Shell Spawn or Webroot Script Drop Internal install · alerting DSΣPDD Linux Decode Base64 to Shell ESCU actions · alerting P Linux Magic SysRq Key Abuse ESCU actions · alerting P Linux Suspicious React or Next.js Child Process ESCU actions · alerting P Linux Unix Shell Enable All SysRq Functions ESCU actions · hunting P MacOS LOLbin ESCU actions · alerting P Suspicious Linux Discovery Commands ESCU actions · alerting P [LLM] splunkd spawning shell interpreters (CVE-2026-20253 post-exploit RCE) Bespoke install · alerting DSΣPDDCS [LLM] AUR helper or makepkg spawning npm/node to install atomic-lockfile or js-digest Bespoke install · alerting DSΣPDDCS [LLM] Atomic Arch: makepkg child spawning npm install atomic-lockfile or bun install js-digest Bespoke delivery · alerting DSΣPDDCS [LLM] Atomic Arch: deps ELF execution by SHA256/MD5 or src/hooks/deps path Bespoke install · hunting DSΣPDDCS [LLM] Atomic Arch — pacman/makepkg post-install spawning npm install of atomic-lockfile Bespoke install · alerting DSΣPDDCS [LLM] Atomic Arch — ELF payload 'deps' written or executed under build/cache directories after AUR install Bespoke install · alerting DSΣPDDCS [LLM] Shell/LOLBin spawned by LangGraph Python or Node runtime Bespoke install · alerting DSΣPDDCS [LLM] Ivanti Sentry CVE-2026-10520 handleMessage exploit attempt (commandexec XML) Bespoke exploit · alerting DSΣPDD [LLM] Shell or recon binary spawned by Tomcat/Java on Ivanti Sentry (CVE-2026-10520 post-exploitation) Bespoke exploit · alerting DSΣPDDCS [LLM] Self-hosted AI agent process spawns shell/curl/wget then executes the fetched payload Bespoke install · alerting DSΣPDDCS [LLM] Webserver / PHP interpreter spawns shell or LOLBin — post-upload RCE indicator Bespoke exploit · alerting DSΣPDDCS [LLM] MIPS shell-script dropper on Linux edge device — JDY architecture-aware payload fetch Bespoke install · hunting DSΣPDDCS [LLM] Fortinet FortiSandbox WEB UI command injection HTTP pattern (CVE-2026-25089) Bespoke exploit · hunting DSΣPDDCS [LLM] Pheditor CVE-2026-48030 — web server spawning shell interpreter from terminal handler RCE Bespoke install · alerting DSΣPDDCS [LLM] Pheditor CVE-2026-48030 — shell metacharacters in 'dir' POST parameter to pheditor.php Bespoke exploit · alerting SΣPDD [LLM] Pheditor CVE-2026-48030 — webshell drop: PHP / web account writing .php to webroot Bespoke install · alerting DSΣPDDCS [LLM] BEAM / Erlang VM spawns shell or interpreter child (post-RCE — CVE-2026-8467) Bespoke install · alerting DSΣPDDCS [LLM] LiteLLM proxy (uvicorn/python) spawning shell or LOLBin — CVE-2026-42271 post-exploit Bespoke install · alerting DSΣPDDCS [LLM] Web-server process (php-fpm / apache / nginx / w3wp) spawning shell or network tooling Bespoke exploit · hunting DSΣPDDCS [LLM] Qilin Linux ransomware ELF payload (CVE-2026-50751 campaign) — known MD5 file event Bespoke install · hunting DSΣPDDCS [LLM] Rclone exfiltration from Check Point VPN gateway or post-bypass internal host Bespoke actions · hunting DSΣPDDCSCW [LLM] DbGate node process spawning shell child (post-exploit RCE) Bespoke install · alerting DSΣPDDCS [LLM] DbGate CVE-2026-47668 — Node.js runner spawning shell/LOLBin children for egress Bespoke exploit · alerting DSΣPDDCS [LLM] Stata binary spawning OS shell (CVE-2026-47708 stata-mcp log_file_name injection) Bespoke exploit · alerting DSΣPDDCS [LLM] Enterprise Gateway python container spawns shell or reads K8s service-account token (CVE-2026-44181 RCE) Bespoke install · alerting DSΣPDDCS [LLM] PHP CLI drops hidden /tmp dropper artefacts (Laravel-Lang autoload payload) Bespoke install · alerting DSΣPDDCS [LLM] Suspicious child process spawned by PraisonAI uvicorn/python A2A server (eval() RCE evidence) Bespoke exploit · alerting DSΣPDDCS [LLM] PraisonAI Python subprocess spawns OS shell with discovery / credential-reading commands Bespoke exploit · alerting DSPDDCS [LLM] PraisonAI python process spawning shell, curl, or wget (post-exploitation tool-use abuse) Bespoke actions · alerting DSΣPDDCS [LLM] Node.js process spawning OS shell with enumeration commands — vm2 sandbox escape (CVE-2026-47137) Bespoke exploit · hunting DSΣPDDCS [LLM] Web service in container spawning interactive shell (Redis/nginx RCE) Bespoke exploit · alerting DSΣPDDCS [LLM] Yamcs JVM spawns shell or network utility (CVE-2026-46621 post-exploitation) Bespoke install · alerting DSΣPDDCS [LLM] Yamcs JVM spawning a POSIX shell — Nashorn Runtime.exec post-exploitation Bespoke install · alerting DSΣPDDCS [LLM] Reverse-shell /dev/tcp file descriptor from Yamcs java process tree Bespoke c2 · alerting DSΣPDDCS [LLM] Hazy Scorpius (CL0P) Oracle EBS exploitation via CVE-2025-61882 — concurrent processing spawns shell/wget Bespoke exploit · alerting DSΣPDDCS [LLM] Node.js web process spawning shell (LiquidJS RCE post-exploit) Bespoke exploit · alerting DSΣPDDCS [LLM] Yamcs JVM spawning OS shell/interpreter (Janino RCE via CVE-2026-44632) Bespoke exploit · alerting DSΣPDDCS [LLM] Composer install of malicious helpers.php in laravel-lang vendor package Bespoke delivery · hunting DSΣPDDCS [LLM] nezha-agent spawning credential-access shell commands on Linux (post-RCE) Bespoke actions · alerting DSΣPDDCS [LLM] Megalodon harvester: curl POST to C2 /collect endpoint on Linux runner Bespoke actions · alerting DSΣPDDCS [LLM] 9router CVE-2026-46339 — GET /api/mcp/{plugin}/sse triggers stored command spawn() Bespoke exploit · alerting SΣPDD [LLM] 9router Node.js process spawning shell binary (CVE-2026-46339 post-exploit) Bespoke install · alerting DSΣPDDCS [LLM] Reverse shell from 9router-spawned shell — outbound TCP from node-child bash Bespoke c2 · hunting DSPDDCS [LLM] Kopia process spawns ssh with -oProxyCommand= argument (CVE-2026-45695) Bespoke exploit · alerting DSΣPDDCS [LLM] SSH process spawned by Kopia invokes a shell child (ProxyCommand execution) Bespoke install · alerting DSPDDCS [LLM] GlassFish java process spawning command shell (CVE-2026-2587 RCE) Bespoke exploit · alerting DSΣPDDCS [LLM] Apache Camel JVM spawning shell or command interpreter via camel-exec (CVE-2026-47323 post-exploit) Bespoke install · alerting DSΣPDDCS [LLM] Algernon web server spawning shell child process (CVE-2026-45721 handler.lua RCE) Bespoke exploit · alerting DSΣPDDCS [LLM] MLflow server process spawning Claude Code CLI or shell — CVE-2026-2611 RCE chain Bespoke exploit · alerting DSΣPDDCS [LLM] Web-server process (w3wp/php/nginx) spawns shell or LOLBin (post-SSTI RCE chain) Bespoke exploit · alerting DSΣPDDCS [LLM] utcp-cli command injection via UTCP_ARG substitution in python→bash -c CMD_N_OUTPUT script Bespoke exploit · alerting DSΣPDD [LLM] DeepSeek-TUI sub-agent shell execution via AGENTS.md prompt injection (CVE-2026-45374) Bespoke exploit · alerting DSΣPDD [LLM] DeepSeek-TUI spawning 'cargo test' — CVE-2026-45311 auto-approved run_tests pathway Bespoke exploit · hunting DSΣPDD [LLM] Rust cargo-test binary in target/debug/deps spawning shell or network tool (CVE-2026-45311 exploitation) Bespoke exploit · alerting DSΣPDD [LLM] Container escape via chroot/nsenter against mounted host filesystem Bespoke actions · alerting DSΣPDDCS [LLM] n8n Node.js parent spawning OS shell — post-exploit RCE indicator for CVE-2026-44791 Bespoke exploit · alerting DSΣPDDCS [LLM] Post-exploit RCE: node.js (n8n) spawning shell or scripting interpreter Bespoke install · alerting DSΣPDDCS [LLM] AdaptixC2 'systemd-resolved' or Sliver 'CWan' implant on Linux / SD-WAN host Bespoke install · hunting DSΣPDDCS [LLM] Flowise node.exe Spawning OS Shell or Command-Line Utility - Post-Exploit RCE (CVE-2026-46442) Bespoke exploit · alerting DSΣPDDCS [LLM] Stage-3 exfil archive trin.tar.gz POST via curl --data-binary Bespoke actions · alerting DSΣPDDCS [LLM] Java/Tomcat process spawns OS command interpreter (post-Thymeleaf SSTI RCE) Bespoke actions · alerting DSΣPDDCS [LLM] Qinglong CVE-2026-4047 case-mismatch auth bypass via /aPi/system/command-run Bespoke exploit · alerting DSΣPDDCS [LLM] Qinglong .fullgc cryptominer execution with nohup backgrounding Bespoke install · alerting DSΣPDDCS [LLM] Stage-2 implant masquerading as node-health-check daemon (/tmp/.kh, /tmp/.ns) Bespoke install · alerting DSΣPDD [LLM] node process spawning bash/curl chain to fetch Velora DEX install.sh dropper Bespoke delivery · alerting DSΣPDDCS [LLM] hackerbot-claw second-stage download: curl -sSfL pipe-bash from hackmoltrepeat.com/molt Bespoke install · alerting DSΣPDDCS [LLM] Python process spawning shell with TeamPCP recon chain (hostname; whoami; uname; ip addr fallback) Bespoke actions · alerting DSΣPDDCS [LLM] npm postinstall SSH-backdoor chain: node spawning sudo ufw allow 22/tcp + chown ~/.ssh Bespoke install · alerting DSΣPDD [LLM] Bash-spawned curl to xygeni-action C2 nip.io endpoint with /b/in /b/q /b/r path on CI runner Bespoke c2 · alerting DSΣPDDCS [LLM] Cloudflare-tunnel curl-piped Python stager (kamikaze.sh / kube.py) Bespoke delivery · alerting DSΣPDDCS [LLM] Exfiltration to kubernetes-el attacker webhook.site UUIDs (Pwn Request payload) Bespoke c2 · alerting DSΣPDD [LLM] Compromised kubernetes.el destructive payload — Emacs spawning `rm -rf / --no-preserve-root` Bespoke actions · alerting DSΣPDD [LLM] tj-actions/changed-files compromise: memdump.py secret-exfiltration shell pattern on runner (CVE-2025-30066) Bespoke actions · alerting DSΣPDD [LLM] Pastebin-piping stager retrieved from rentry.co/openclaw-core (macOS/Linux ClawHub skill) Bespoke delivery · alerting DSPDDCS [LLM] SKILL.md file written referencing fabricated openclaw-core prerequisite (ClawHub skill social engineering hook) Bespoke weapon · hunting DSPDDCS [LLM] Installation of credential-leaking ClawHub skills (moltyverse-email, buy-anything, prompt-log, youtube-data) Bespoke install · alerting DSΣPDDCS [LLM] AI agent skill leaks Stripe key or card PAN/CVC verbatim in curl command line Bespoke actions · alerting DSΣPDDCS [LLM] curl | bash or wget | sh executed by Claude/Cursor/OpenClaw agent process Bespoke exploit · alerting DSΣPDDCS [LLM] NPM preinstall hook fetching Bun installer from bun.sh (Sha1-Hulud dropper) Bespoke delivery · alerting DSΣPDDCS [LLM] Node.js process spawning interactive shell — suspected post-exploit RCE on Next.js / RSC server Bespoke exploit · alerting DSΣPDDCS [LLM] TruffleHog spawned by node/npm as postinstall — Shai-Hulud credential sweep Bespoke actions · alerting DSΣPDD [LLM] s1ngularity nx: AI CLI assistant invoked with permission-bypass flags (Claude/Gemini/Q) Bespoke actions · alerting DSΣPDD [LLM] GitHub Actions self-hosted runner spawning curl/wget POST to non-allowlisted egress Bespoke exploit · hunting DSPDDCS [LLM] wdavdaemon or MDE Linux endpoints observed on CI/CD build runners Bespoke install · hunting DSΣPDD [LLM] AI coding agent CLI (claude/gemini/q) invoked with permission-bypass flags Bespoke actions · alerting DSΣPDDCS [LLM] Malicious tj-actions base64 payload prefix observed in process command line Bespoke exploit · alerting DSΣPDDCS [LLM] GitHub Actions branch-name template injection — bash brace-expansion shell signature Bespoke exploit · alerting DSΣPDDCS [LLM] Outbound fetch of file.sh via attacker-controlled commit d8daa0b... on raw.githubusercontent.com Bespoke c2 · alerting DSΣPDDCS [LLM] cups-browsed spawning foomatic-rip or shell child (CVE-2024-47177 RCE) Bespoke exploit · alerting DSΣPDDCS [LLM] Tomcat/Java process spawns OS shell or LOLBin (post-webshell RCE) Bespoke actions · alerting DSΣPDDCS [LLM] macOS Text Replacements exfiltration via `defaults read NSUserDictionaryReplacementItems` Bespoke actions · alerting DSΣPCS

Articles citing this technique (75)

crit Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication art-09
crit 400+ AUR Packages Hijacked: What the “Atomic Arch” Campaign Means for Supply-Chain Security art-14
high Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit art-17
high Over 400 Arch Linux packages compromised to push rootkit, infostealer art-25
crit LangGraph Flaw Chain Exposes Self-Hosted AI Agents to Remote Code Execution art-32
high CISA orders feds to patch actively exploited Ivanti flaw by Sunday art-34
high New Attacks Trick OpenClaw AI Agent Into Running Code and Leaking Secrets art-41
crit [GHSA / CRITICAL] CVE-2026-48062: CodeIgniter4 has a validation bypass when uploading file extensions via `ext_in` rule art-43
crit China-Linked JDY Botnet Expands to 1,500+ Devices for Cyber Reconnaissance art-59
crit Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities art-61
crit [GHSA / CRITICAL] CVE-2026-48030: Pheditor: OS Command Injection in terminal handler via unsanitized 'dir' parameter art-73
crit [GHSA / CRITICAL] CVE-2026-8467: PhoenixStorybook: Unauthenticated remote code execution via HEEx template injection in phoenix_storybook pl art-75
crit LiteLLM Flaw CVE-2026-42271 Exploited in the Wild, Chains to Unauthenticated RCE art-92
crit [GHSA / CRITICAL] CVE-2026-45034: PHPSpreadsheet has a patch bypass for CVE-2026-34084 art-99
crit Meta Blocks NSO Group's New WhatsApp Phishing Attack, Files Contempt Order art-101
crit [GHSA / CRITICAL] CVE-2026-47670: Authenticated Remote Code Execution via loadReader functionName code injection in DbGate art-118
crit [GHSA / CRITICAL] CVE-2026-47668: DbGate: Unauthenticated Remote Code Execution via JSON Script Runner art-120
crit [GHSA / CRITICAL] CVE-2026-47708: MCP-for-Stata: Command injection via log_file_name parameter in Stata command wrapper art-122
crit [GHSA / CRITICAL] CVE-2026-44181: Jupyter Enterprise Gateway: Jinja2 Template Server Side Template Injection resulting in Remote Code Execut art-134
high Laravel-Lang Supply Chain Attack: Every Tag Across Multiple Composer Packages Rewritten to Steal CI Secrets art-145
crit [GHSA / CRITICAL] CVE-2026-47391: PraisonAI's unauthenticated A2A official example can reach real LLM-driven `eval()` tool execution art-165
crit [GHSA / CRITICAL] CVE-2026-47392: PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subpro art-166
crit [GHSA / CRITICAL] CVE-2026-47393: PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default art-167
crit [GHSA / CRITICAL] CVE-2026-47137: vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE art-175
crit What’s in the container? Analyzing vulnerabilities, risks and protection with Kaspersky Container Security and the KIRA AI assistant art-180
crit [GHSA / CRITICAL] CVE-2026-46621: Yamcs Vulnerable to Authenticated Remote Code Execution (RCE) via Jython Algorithm Code Injection art-191
crit [GHSA / CRITICAL] CVE-2026-46562: Yamcs Vulnerable to Remote Code Execution via Mission Database algorithm override art-192
crit Out of the Crypt: The Evolving Cyber Extortion Economy art-193
crit [GHSA / CRITICAL] CVE-2026-45618: LiquidJS is Vulnerable to Remote Code Execution art-196
crit [GHSA / CRITICAL] CVE-2026-44632: Yamcs Vulnerable to Server-Side Code Injection (RCE) via Janino Expression Engine in `JavaExprAlgorithmExe art-202
high Supply Chain Attack Targets Laravel-Lang Packages with Credential Stealer art-212
crit [GHSA / CRITICAL] CVE-2026-46716: Nezha Monitoring: RoleMember can run shell on every server (cross-tenant RCE) via POST /api/v1/cron art-213
high Megalodon: Mass GitHub Actions Secret Exfiltration Across 5,500+ Public Repositories art-215
crit [GHSA / CRITICAL] CVE-2026-46339: 9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes art-251
crit [GHSA / CRITICAL] CVE-2026-45695: Kopia: RCE via SSH ProxyCommand Injection art-252
crit [GHSA / CRITICAL] CVE-2026-2587: GlassFish's gadget handler is vulnerable to RCE art-257
crit [GHSA / CRITICAL] CVE-2026-47323: Camel-CXF and Camel-Knative Message Header are Vulnerable to Injection via Missing Inbound Filtering art-259
crit [GHSA / CRITICAL] CVE-2026-45721: Algernon: handler.lua discovery walks parent directories above the server root art-262
crit [GHSA / CRITICAL] CVE-2026-2611: MLflow: Improper Origin Validation in MLflow Assistant /ajax-api Endpoints Enables Browser-Mediated Local C art-264
crit [GHSA / CRITICAL] CVE-2026-45697: Formie: Pre-authenticated server-side template injection in Hidden fields art-273
crit [GHSA / CRITICAL] CVE-2026-45369: utcp-cli Vulnerable to Command Injection via Unsanitized Argument Substitution in CLI Communication Protoc art-288
crit [GHSA / CRITICAL] CVE-2026-45374: DeepSeek TUI: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files art-292
crit [GHSA / CRITICAL] CVE-2026-45311: DeepSeek TUI: run_tests Tool Enables RCE via Malicious Repository Without Approval art-293
crit [GHSA / CRITICAL] CVE-2026-44849: Portainer has an endpoint security bypass via Swarm service create/update art-297
crit [GHSA / CRITICAL] CVE-2026-44791: n8n Has an XML Node Prototype Pollution Patch Bypass art-299
crit [GHSA / CRITICAL] CVE-2026-44789: n8n: HTTP Request Node Pagination Prototype Pollution to RCE art-301
crit Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities art-302
crit [GHSA / CRITICAL] CVE-2026-46442: FlowiseAI: Authenticated Host RCE via POST /api/v1/node-custom-function and NodeVM Sandbox Escape art-304
high elementary-data Compromised on PyPI and GHCR: Forged Release Pushed via GitHub Actions Script Injection art-334
high Don't Panic: The Thymeleaf Template Injection That Only Hurts If You Let It (CVE-2026-40478) art-349
high Qinglong task scheduler RCE vulnerabilities exploited in the wild for cryptomining art-353
high GPT-Proxy Backdoor in npm and PyPI turns Servers into Chinese LLM Relays art-367
high @velora-dex/sdk Compromised on npm: Malicious Version Drops macOS Backdoor via launchctl Persistence art-399
high hackerbot-claw: An AI-Powered Bot Actively Exploiting GitHub Actions - Microsoft, DataDog, and CNCF Projects Hit So Far art-403
crit litellm: Credential Stealer Hidden in PyPI Wheel art-423
crit Malicious Polymarket Bot Hides in Hijacked dev-protocol GitHub Org and Steals Wallet Keys art-433
high xygeni-action Compromised: C2 Reverse Shell Backdoor Injected via Tag Poisoning art-435
high CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran art-444
high kubernetes-el Compromised: How a Pwn Request Exploited a Popular Emacs Package art-475
high Harden-Runner detection: tj-actions/changed-files action is compromised art-556
crit How a Malicious Google Skill on ClawHub Tricks Users Into Installing Malware art-564
high 280+ Leaky Skills: How OpenClaw & ClawHub Are Exposing API Keys and PII art-573
crit Snyk Finds Prompt Injection in 36%, 1467 Malicious Payloads in a ToxicSkills Study of Agent Skills Supply Chain Compromise art-574
high Sha1-Hulud: The Second Coming - Zapier, ENS Domains, and Other Prominent NPM Packages Compromised art-653
high Security Advisory: Critical RCE Vulnerabilities in React Server Components (CVE-2025-55182) art-673
crit Shai-Hulud: Self-Replicating Worm Compromises 500+ NPM Packages art-690
crit s1ngularity: Popular Nx Build System Package Compromised with Data-Stealing Malware art-778
high GhostAction Campaign: Over 3,000 Secrets Stolen Through Malicious GitHub Workflows art-785
high How StepSecurity Harden Runner Detected Unexpected Microsoft Defender Installation on GitHub-hosted Ubuntu Runners art-795
high Weaponizing AI Coding Agents for Malware in the Nx Malicious Package Security Incident art-806
crit Reconstructing the TJ Actions Changed Files GitHub Actions Compromise art-957
high Ultralytics AI Pwn Request Supply Chain Attack art-1055
high Zero-day RCE vulnerability found in CUPS - Common UNIX Printing System art-1134
crit Krampus delivers an end-of-year Struts vulnerability art-1300
high Using insecure npm package manager defaults to steal your macOS keyboard shortcuts art-1425