Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Execution/ T1204.002

T1204.002Malicious File

T1204.002 — Malicious File is a MITRE ATT&CK technique in the Execution tactic. Clankerusecase tracks 315 detection use cases covering it and 308 threat-intel articles citing it.

Execution
View on the matrix → Filter Detection Library MITRE official spec ↗
315Use cases
308Articles
0Sub-techniques
1Tactic
↑ Parent technique: T1204 · User Execution

Use cases covering this technique (315)

Email attachment opened from external sender Internal delivery · hunting DSP [WEEKLY] Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes Internal delivery · alerting DSPDD [WEEKLY] Developer package install spawning script-host with non-registry C2 within 5 minutes Internal install · alerting DSPDD [WEEKLY] Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access Internal install · alerting DSPDD [WEEKLY] Package-Manager Install -> Interpreter Child -> Non-Registry Egress Within 5 Minutes Internal install · alerting DSPDD [WEEKLY] Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes Internal install · alerting DSPDD [WEEKLY] Package manager lifecycle hook spawns network-fetching shell or runtime Internal install · alerting DSΣPDD [WEEKLY] Package manager lifecycle hook spawns runtime with outbound egress to non-registry host within 5 minutes Internal install · alerting DSPDD [WEEKLY] Package manager spawns network-fetching child to public code-hosting within minutes of install Internal install · alerting DSPDD O365 SharePoint Malware Detection ESCU actions · alerting P O365 Threat Intelligence Suspicious File Detected ESCU actions · alerting P Batch File Write to System32 ESCU actions · alerting P Cisco NVM - Susp Script From Archive Triggering Network Activity ESCU actions · hunting P Drop IcedID License dat ESCU actions · hunting P Single Letter Process On Endpoint ESCU actions · alerting P Suspicious Process Executed From Container File ESCU actions · alerting P Windows Advanced Installer MSIX with AI_STUBS Execution ESCU actions · alerting P Windows AppX Deployment Full Trust Package Installation ESCU actions · hunting P Windows AppX Deployment Package Installation Success ESCU actions · hunting P Windows AppX Deployment Unsigned Package Installation ESCU actions · alerting P Windows Binary Execution from an Archive ESCU actions · hunting P Windows Default Cobalt Strike PowerShell Beacon ESCU actions · alerting P Windows Developer-Signed MSIX Package Installation ESCU actions · hunting P Windows EFI Volume Mount Attempt Via Mountvol ESCU actions · hunting P Windows Explorer.exe Spawning PowerShell or Cmd ESCU actions · hunting P Windows Explorer LNK Exploit Process Launch With Padding ESCU actions · alerting P Windows MSIX Package Interaction ESCU actions · hunting P Windows Mustang Panda USB Tool Execution ESCU actions · alerting P Windows NorthStar C2 Agent Execution ESCU actions · alerting P Windows PowerShell Script From WindowsApps Directory ESCU actions · alerting P Windows Suspect Process With Authentication Traffic ESCU actions · hunting P Windows Suspicious QEMU Execution ESCU actions · alerting P Windows Universal Data Link File Creation ESCU actions · hunting P Windows User Execution Malicious URL Shortcut File ESCU actions · hunting P Uncommon Processes On Endpoint ESCU actions · hunting P Article-specific behavioural hunt — Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication Bespoke install · hunting DSP [LLM] AUR helper or makepkg spawning npm/node to install atomic-lockfile or js-digest Bespoke install · alerting DSΣPDDCS Article-specific behavioural hunt — Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered Bespoke exploit · hunting DSP Article-specific behavioural hunt — Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit Bespoke exploit · hunting DSP [LLM] Atomic Arch: deps ELF execution by SHA256/MD5 or src/hooks/deps path Bespoke install · hunting DSΣPDDCS [LLM] Atomic Arch — pacman/makepkg post-install spawning npm install of atomic-lockfile Bespoke install · alerting DSΣPDDCS [LLM] Atomic Arch — ELF payload 'deps' written or executed under build/cache directories after AUR install Bespoke install · alerting DSΣPDDCS Article-specific behavioural hunt — ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Univ Bespoke exploit · hunting DSP Article-specific behavioural hunt — A tale of two eras Bespoke exploit · hunting DSP [LLM] Talos weekly prevalent malware hash execution (Coinminer/Injector/Dropper.Miner) Bespoke install · alerting DSΣPDDCS [LLM] Talos prevalent malware filename pattern — VID001.exe and d4aa3e70..._N_Exe.exe Bespoke install · hunting DSΣPDDCS Article-specific behavioural hunt — Miasma and Hades Are Spreading Now: Detect Them on Developer Machines with Suspi Bespoke exploit · hunting DSP [LLM] Miasma/Hades known-bad SHA256 execution on developer endpoint Bespoke install · hunting DSΣPDDCS Article-specific behavioural hunt — npm v12 delivers one of the biggest security improvements in years Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-48039: Meta Ads MCP: Unauthenticated HTTP MCP Tool Ex Bespoke exploit · hunting DSP [LLM] CVE-2026-48039 PoC artifact execution (meta-ads-mcp-vuln001 image, FAKE_TOKEN_FOR_POC_DEMO env) Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories Bespoke exploit · hunting DSP Article-specific behavioural hunt — OceanLotus Hits Vietnam Investors With SPECTRALVIPER in FireAnt Attack Bespoke exploit · hunting DSP [LLM] SPECTRALVIPER known-bad SHA1 observed on disk or in process Bespoke install · alerting DSΣPDDCS Article-specific behavioural hunt — OceanLotus: From external espionage to domestic targeting Bespoke exploit · hunting DSP [LLM] SPECTRALVIPER known SHA1 sample sighting (ESET 2024-2026 IOC bundle) Bespoke install · hunting DSΣPDDCS Article-specific behavioural hunt — GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks Bespoke exploit · hunting DSP Article-specific behavioural hunt — Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE B Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-48030: Pheditor: OS Command Injection in terminal han Bespoke install · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-8467: PhoenixStorybook: Unauthenticated remote code e Bespoke exploit · hunting DSP Article-specific behavioural hunt — Miasma Worm Hits Microsoft Again: Azure Functions Action and 72 Other Repositori Bespoke exploit · hunting DSP [LLM] node.exe spawned by Code/Cursor/Claude/Gemini executing .github/setup.js Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — Microsoft Restores Some GitHub Repos, Keeps Others Offline as Miasma Probe Conti Bespoke exploit · hunting DSP [LLM] Miasma stealer payload SHA256 match on disk or in execution Bespoke install · hunting DSΣPDDCS Article-specific behavioural hunt — Wait, binding.gyp Can Do What? Exploring npm's Weirdest Build System Bespoke exploit · hunting DSP Article-specific behavioural hunt — Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47252: Anyquery: AppleScript/JXA Code Injection via U Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-45034: PHPSpreadsheet has a patch bypass for CVE-2026 Bespoke exploit · hunting DSP Article-specific behavioural hunt — One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public Bespoke install · hunting DSP Article-specific behavioural hunt — AI brands as bait: How threat actors are using the AI hype in social engineering Bespoke exploit · hunting DSP [LLM] Execution or drop of fake AI-platform installer (DeepSeek/Manus/Seedance/GPT-5.5/Kimi) Bespoke install · alerting DSΣPDDCS Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47731: NASA AMMOS Instrument Toolkit: Path traversal Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47670: Authenticated Remote Code Execution via loadRe Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47669: DbGate: Zip Slip in archive/unzip allows arbit Bespoke install · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47668: DbGate: Unauthenticated Remote Code Execution Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47708: MCP-for-Stata: Command injection via log_file_ Bespoke install · hunting DSP [LLM] Mini Shai-Hulud payload SHA256 on disk (7c24b4d9...e627144e8b) Bespoke install · hunting DSΣPDDCS Article-specific behavioural hunt — [GHSA / CRITICAL] GHSA-8whc-2wmv-ww35: WWBN AVideo: Unauthenticated Stored DOM C Bespoke exploit · hunting DSP Article-specific behavioural hunt — Reporting from Vegas: Networking, AI, and good boys Bespoke exploit · hunting DSP [LLM] Talos weekly prevalent malware SHA256 IOC sweep (Coinminer / Procpatcher / KMS activator) Bespoke install · alerting DSΣPDDCS Article-specific behavioural hunt — Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp Bespoke exploit · hunting DSP Article-specific behavioural hunt — Node-gyp Supply Chain Compromise: A Self-Propagating npm Worm That Hides in bind Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-44182: Jupyter Enterprise Gateway: Kubernetes Manifes Bespoke exploit · hunting DSP [LLM] Argamal Loader Artifacts — natives2_blob.bin / Modified ffmpeg.dll IOC Sweep Bespoke install · hunting DSΣPDDCS Article-specific behavioural hunt — Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing cam Bespoke exploit · hunting DSP Article-specific behavioural hunt — Why EDR and proxy won’t save you from supply chain malware Bespoke exploit · hunting DSP Article-specific behavioural hunt — The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2) Bespoke exploit · hunting DSP Article-specific behavioural hunt — Multiple redhat-cloud-services npm Packages compromised Bespoke exploit · hunting DSP Article-specific behavioural hunt — Laravel-Lang Supply Chain Attack: Every Tag Across Multiple Composer Packages Re Bespoke install · hunting DSP [LLM] Nx Console v18.95.0 Compromised VSIX / main.js / payload SHA-256 Hash Match Bespoke install · hunting DSΣPDDCS [LLM] FlutterShell macOS payload SHA256 IOC match Bespoke install · hunting DSΣPCS Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47413: praisonai-platform: Any workspace member can a Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47429: When Vitest UI server is listening, arbitrary Bespoke install · hunting DSP Article-specific behavioural hunt — Containers on fire: from container escapes to supply chain attacks Bespoke install · hunting DSP Article-specific behavioural hunt — Miasma supply chain attack: malicious code found in @redhat-cloud-services npm p Bespoke exploit · hunting DSP Article-specific behavioural hunt — Malicious npm packages abuse dependency confusion to profile developer environme Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47416: praisonai-platform: Any workspace member can p Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47410: praisonai-platform: JWT signing key defaults t Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47407: PraisonAI Platform has a cross-workspace IDOR Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47391: PraisonAI's unauthenticated A2A official examp Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47392: PraisonAI vulnerable to sandbox escape via `pr Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47393: PraisonAI `deploy --type api` emits a Flask se Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47140: NodeVM builtin denylist bypass via process and Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47210: vm2 sandbox escape via JSPI-backed Promise `.f Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47137: vm2 has a CVE-2023-37903 patch bypass: nesting Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47131: vm2 has a Sandbox Escape issue Bespoke exploit · hunting DSP Article-specific behavioural hunt — What’s in the container? Analyzing vulnerabilities, risks and protection with Ka Bespoke install · hunting DSP Article-specific behavioural hunt — Typosquatted npm packages used to steal cloud and CI/CD secrets Bespoke exploit · hunting DSP Article-specific behavioural hunt — Less panic patching, more precision Bespoke exploit · hunting DSP Article-specific behavioural hunt — Pirates in the crosshairs: how one cybercrime gang has been infecting book, movi Bespoke exploit · hunting DSP [LLM] HLS Installer.874.exe DLL side-load from pirate-streaming ZIP lure Bespoke install · alerting DSΣPDDCS Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-46621: Yamcs Vulnerable to Authenticated Remote Code Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-46562: Yamcs Vulnerable to Remote Code Execution via Bespoke install · hunting DSP Article-specific behavioural hunt — Legitimate-Looking Codex Remote UI Secretly Steals Your AI Tokens Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-45618: LiquidJS is Vulnerable to Remote Code Executio Bespoke install · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-44632: Yamcs Vulnerable to Server-Side Code Injection Bespoke exploit · hunting DSP [LLM] BTMOB Android RAT APK SHA256 sighting in file or email telemetry Bespoke delivery · hunting DSΣPDDCS Article-specific behavioural hunt — Laravel Lang Supply Chain Advisory Bespoke exploit · hunting DSP [LLM] DebugChromium.exe execution (Laravel-Lang stealer Windows artifact) Bespoke install · alerting DSΣPDDCS Article-specific behavioural hunt — Supply Chain Attack Targets Laravel-Lang Packages with Credential Stealer Bespoke exploit · hunting DSP Article-specific behavioural hunt — Megalodon: Mass GitHub Actions Secret Exfiltration Across 5,500+ Public Reposito Bespoke install · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-46670: YesWiki: Unauthenticated SQL Injection Bespoke exploit · hunting DSP [LLM] Screening Serpens recruitment lure — Hiring Portal.zip + job requisition PDFs Bespoke delivery · alerting DSΣPDDCS Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-46703: Boxlite: Path Traversal Vulnerability Leads to Bespoke exploit · hunting DSP Article-specific behavioural hunt — The art of being ungovernable Bespoke exploit · hunting DSP [LLM] Talos weekly prevalent-malware hash hit (Coinminer worm / TunMirror / SECOH-QAD / KMS-Loader) Bespoke install · alerting DSPDDCS [LLM] Known Shai-Hulud / Nx Console implant hash match (SHA256/SHA1) Bespoke install · hunting DSΣPDDCS Article-specific behavioural hunt — Dev Machine Guard Now Supports Linux Bespoke install · hunting DSP Article-specific behavioural hunt — The Wild West of VS Code extensions and how a poisoned extension breached GitHub Bespoke exploit · hunting DSP [LLM] TamperedChef shell-company code-signing certificate execution (CL-UNK-1090) Bespoke install · alerting DSΣPDDCS [LLM] TamperedChef trojanized-app activation via --cm / --enableupdate / --fullupdate flags Bespoke install · alerting DSΣPDDCS Article-specific behavioural hunt — GitHub breached via a malicious VS Code extension: why developer devices are the Bespoke exploit · hunting DSP Article-specific behavioural hunt — CISA KEV: CVE-2009-1537 — Microsoft DirectX NULL Byte Overwrite Vulnerability Bespoke exploit · hunting DSP Article-specific behavioural hunt — The AntV Supply Chain Campaign Expands: Microsoft's `durabletask` PyPI Package C Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-46339: 9router: Unauthenticated Remote Code Execution Bespoke exploit · hunting DSP Article-specific behavioural hunt — Microsoft's durabletask package on PyPi Compromised. Mini Shai Hulud attacks aga Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-46395: HAXcms: Private Key Disclosure via Broken HMAC Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-45721: Algernon: handler.lua discovery walks parent d Bespoke install · hunting DSP Article-specific behavioural hunt — Mini Shai-Hulud strikes again: npm worm compromises hundreds of @antv packages Bespoke exploit · hunting DSP Article-specific behavioural hunt — actions-cool/issues-helper GitHub Action Compromised: All Tags Point to Imposter Bespoke exploit · hunting DSP Article-specific behavioural hunt — Active Supply Chain Attack: Malicious node-ipc Versions Published to npm Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] GHSA-wx9m-wx4f-4cmg: Malicious dropper in mistralai 2.4.6 PyPI Bespoke exploit · hunting DSP [LLM] Gremlin Stealer packed sample SHA256 execution (2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b) Bespoke install · alerting DSΣPDDCS Article-specific behavioural hunt — Malicious node-ipc versions published to npm in suspected maintainer account com Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-45369: utcp-cli Vulnerable to Command Injection via U Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-45374: DeepSeek TUI: task_create Insecure Defaults En Bespoke install · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-45311: DeepSeek TUI: run_tests Tool Enables RCE via M Bespoke install · hunting DSP [LLM] DeepSeek-TUI spawning 'cargo test' — CVE-2026-45311 auto-approved run_tests pathway Bespoke exploit · hunting DSΣPDD Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-44990: Apostrophe has default XSS via `xmp` raw-text Bespoke exploit · hunting DSP Article-specific behavioural hunt — The time of much patching is coming Bespoke exploit · hunting DSP [LLM] Talos weekly top-prevalent malware hash watch (Coinminer / Injector / W32.Variant) Bespoke install · alerting DSΣPDD Article-specific behavioural hunt — Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-46442: FlowiseAI: Authenticated Host RCE via POST /ap Bespoke exploit · hunting DSP [LLM] FrostyNeighbor JS dropper self-relaunch with --update flag Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — Mini Shai-Hulud Is Back: npm Worm Hits over 160 Packages, including Mistral and Bespoke exploit · hunting DSP Article-specific behavioural hunt — Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools Bespoke exploit · hunting DSP Article-specific behavioural hunt — PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale Bespoke exploit · hunting DSP Article-specific behavioural hunt — Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Bespoke install · hunting DSP Article-specific behavioural hunt — A rigged game: ScarCruft compromises gaming platform in a supply-chain attack Bespoke exploit · hunting DSP [LLM] BirdCall trojanized APK/mono.dll SHA1 match on Windows endpoints Bespoke install · hunting DSΣPDDCS Article-specific behavioural hunt — Shai-Hulud Worm Pivots to Multi-Cloud: intercom-client@7.0.4 Hijacked — 361,000 Bespoke exploit · hunting DSP Article-specific behavioural hunt — elementary-data Compromised on PyPI and GHCR: Forged Release Pushed via GitHub A Bespoke install · hunting DSP Article-specific behavioural hunt — Bitwarden CLI Hijacked on npm: Bun-Staged Credential Stealer Targets Developers, Bespoke exploit · hunting DSP Article-specific behavioural hunt — CanisterSprawl: pgserve Compromised on npm: Malicious Versions Harvest Credentia Bespoke exploit · hunting DSP Article-specific behavioural hunt — Popular PyTorch Lightning Package Compromised by Mini Shai-Hulud Bespoke exploit · hunting DSP [LLM] Mini Shai-Hulud PyPI payload known SHA256 (start.py / router_runtime.js) Bespoke install · alerting DSΣPDD Article-specific behavioural hunt — lightning PyPI Compromise: A Bun-Based Credential Stealer in Python Bespoke exploit · hunting DSP Article-specific behavioural hunt — Mini Shai-Hulud Targets SAP npm Packages With a Bun-Based Secret Stealer Bespoke exploit · hunting DSP Article-specific behavioural hunt — Someone published four versions of a fake "tanstack" package in 27 minutes to st Bespoke exploit · hunting DSP Article-specific behavioural hunt — Bridging the Gap to Autonomous Fixes: Snyk and Atlassian Unveil Intelligent Reme Bespoke exploit · hunting DSP Article-specific behavioural hunt — "A Mini Shai-Hulud Has Appeared": Bun-Based Stealer Hits SAP @cap-js and mbt npm Bespoke exploit · hunting DSP Article-specific behavioural hunt — Malicious Release of elementary-data PyPI Package Steals Cloud Credentials from Bespoke exploit · hunting DSP Article-specific behavioural hunt — Qinglong task scheduler RCE vulnerabilities exploited in the wild for cryptomini Bespoke exploit · hunting DSP [LLM] Roblox cheat/exploit download on enterprise endpoint (Lumma Stealer entry vector) Bespoke delivery · alerting DSΣPDDCS Article-specific behavioural hunt — Is Shai-Hulud Back? Compromised Bitwarden CLI Contains a Self-Propagating npm Wo Bespoke exploit · hunting DSP Article-specific behavioural hunt — GopherWhisper: A burrow full of malware Bespoke exploit · hunting DSP Article-specific behavioural hunt — GPT-Proxy Backdoor in npm and PyPI turns Servers into Chinese LLM Relays Bespoke exploit · hunting DSP Article-specific behavioural hunt — Multiple Cross-Site Scripting (XSS) Vulnerabilities in Mailcow Bespoke exploit · hunting DSP Article-specific behavioural hunt — @velora-dex/sdk Compromised on npm: Malicious Version Drops macOS Backdoor via l Bespoke exploit · hunting DSP Article-specific behavioural hunt — hackerbot-claw: An AI-Powered Bot Actively Exploiting GitHub Actions - Microsoft Bespoke exploit · hunting DSP Article-specific behavioural hunt — Cline Supply Chain Attack Detected: cline@2.3.0 Silently Installs OpenClaw Bespoke exploit · hunting DSP Article-specific behavioural hunt — GlassWorm goes native: New Zig dropper infects every IDE on your machine Bespoke exploit · hunting DSP Article-specific behavioural hunt — Axios npm Package Compromised: Supply Chain Attack Delivers Cross-Platform RAT Bespoke exploit · hunting DSP Article-specific behavioural hunt — axios compromised on npm: maintainer account hijacked, RAT deployed Bespoke exploit · hunting DSP Article-specific behavioural hunt — litellm: Credential Stealer Hidden in PyPI Wheel Bespoke exploit · hunting DSP [LLM] Silver Fox Japan tax-season lure: inbound email with Japanese HR/ESOP subject + gofile.io URL or RAR/ZIP Bespoke delivery · alerting DS [LLM] gofile.io archive download by browser followed by extracted-EXE execution within 30 minutes Bespoke install · alerting DS Article-specific behavioural hunt — Checkmarx KICS GitHub Action Compromised: Malware Injected in All Git Tags Bespoke exploit · hunting DSP Article-specific behavioural hunt — CanisterWorm: How a Self-Propagating npm Worm Is Spreading Backdoors Across the Bespoke exploit · hunting DSP Article-specific behavioural hunt — Trivy Compromised a Second Time - Malicious v0.69.4 Release, aquasecurity/setup- Bespoke exploit · hunting DSP Article-specific behavioural hunt — bittensor-wallet 4.0.2 Compromised on PyPI - Backdoor Exfiltrates Private Keys Bespoke exploit · hunting DSP Article-specific behavioural hunt — Malicious npm Releases Found in Popular React Native Packages - 130K+ Monthly Do Bespoke exploit · hunting DSP Article-specific behavioural hunt — Malicious Polymarket Bot Hides in Hijacked dev-protocol GitHub Org and Steals Wa Bespoke exploit · hunting DSP Article-specific behavioural hunt — ForceMemo: Hundreds of GitHub Python Repos Compromised via Account Takeover and Bespoke exploit · hunting DSP Article-specific behavioural hunt — xygeni-action Compromised: C2 Reverse Shell Backdoor Injected via Tag Poisoning Bespoke install · hunting DSP Article-specific behavioural hunt — How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM Bespoke exploit · hunting DSP Article-specific behavioural hunt — CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran Bespoke exploit · hunting DSP Article-specific behavioural hunt — TeamPCP deploys CanisterWorm on NPM following Trivy compromise Bespoke exploit · hunting DSP Article-specific behavioural hunt — fast-draft Open VSX Extension Compromised by BlokTrooper Bespoke install · hunting DSP Article-specific behavioural hunt — Securing the Agent Skills Registry: How Snyk and Tessl Are Setting the Standard Bespoke exploit · hunting DSP Article-specific behavioural hunt — DRILLAPP: new backdoor targeting Ukrainian entities with possible links to Laund Bespoke install · hunting DSP [LLM] DRILLAPP variant 1 persistence: LNK file written to user Startup folder by non-Explorer process Bespoke install · alerting DSΣPDDCS [LLM] DRILLAPP variant 2 delivery: CPL file executed from user-writable folder spawning Edge Bespoke delivery · alerting DSPDDCS Article-specific behavioural hunt — kubernetes-el Compromised: How a Pwn Request Exploited a Popular Emacs Package Bespoke exploit · hunting DSP Article-specific behavioural hunt — Sednit reloaded: Back in the trenches Bespoke exploit · hunting DSP Article-specific behavioural hunt — The 89% Problem: How LLMs Are Resurrecting the "Dormant Majority" of Open Source Bespoke exploit · hunting DSP Article-specific behavioural hunt — Persistent XSS/RCE using WebSockets in Storybook’s dev server Bespoke exploit · hunting DSP Article-specific behavioural hunt — Harden Runner Now Supports Windows and macOS GitHub Actions Runners Bespoke exploit · hunting DSP Article-specific behavioural hunt — PlugX Meeting Invitation via MSBuild and GDATA Bespoke exploit · hunting DSP Article-specific behavioural hunt — SvelteSpill: A Cache Deception Bug in SvelteKit + Vercel Bespoke exploit · hunting DSP Article-specific behavioural hunt — Securing the Agent Skill Ecosystem: How Snyk and Vercel Are Locking Down the New Bespoke exploit · hunting DSP Article-specific behavioural hunt — From detection to prevention: How Zen stops IDOR vulnerabilities at runtime Bespoke exploit · hunting DSP Article-specific behavioural hunt — npm backdoor lets hackers hijack gambling outcomes Bespoke exploit · hunting DSP Article-specific behavioural hunt — Exploitability Isn’t the Answer. Breakability Is. Bespoke exploit · hunting DSP [LLM] Pastebin-piping stager retrieved from rentry.co/openclaw-core (macOS/Linux ClawHub skill) Bespoke delivery · alerting DSPDDCS [LLM] Download of openclawcore-1.0.3.zip from denboss99 GitHub release (Windows OpenClaw skill payload) Bespoke delivery · alerting DSΣPDDCS [LLM] SKILL.md file written referencing fabricated openclaw-core prerequisite (ClawHub skill social engineering hook) Bespoke weapon · hunting DSPDDCS Article-specific behavioural hunt — Snyk Finds Prompt Injection in 36%, 1467 Malicious Payloads in a ToxicSkills Stu Bespoke exploit · hunting DSP [LLM] npx invocation of known phantom package names disclosed by Aikido Bespoke install · alerting DSΣPDD [LLM] VS Code (Code.exe/node) drops payload to %TEMP%\Lightshot staging directory Bespoke delivery · hunting DSΣPDDCS Article-specific behavioural hunt — Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages Bespoke exploit · hunting DSP Article-specific behavioural hunt — Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT Bespoke exploit · hunting DSP Article-specific behavioural hunt — CISA KEV: CVE-2025-54313 — Prettier eslint-config-prettier Embedded Malicious Co Bespoke exploit · hunting DSP Article-specific behavioural hunt — Revisiting CVE-2025-50165: A critical flaw in Windows Imaging Component Bespoke exploit · hunting DSP Article-specific behavioural hunt — Critical Remote Code Execution Vulnerabilities Discovered in React Server Compon Bespoke exploit · hunting DSP Article-specific behavioural hunt — How Harden Runner Detected the Sha1-Hulud Supply Chain Attack in CNCF's Backstag Bespoke exploit · hunting DSP Article-specific behavioural hunt — Sha1-Hulud: The Second Coming - Zapier, ENS Domains, and Other Prominent NPM Pac Bespoke exploit · hunting DSP Article-specific behavioural hunt — Supply Chain Security Alert: eslint-config-prettier Package Shows Signs of Compr Bespoke exploit · hunting DSP Article-specific behavioural hunt — Security Advisory: Critical RCE Vulnerabilities in React Server Components (CVE- Bespoke exploit · hunting DSP Article-specific behavioural hunt — Run AutoMCP To Supercharge Your AI Agent with Libraries MCP Servers Bespoke exploit · hunting DSP [LLM] MuddyWater Fooder loader (OsUpdater.exe) execution from Downloads Bespoke install · alerting DSΣPDDCS Article-specific behavioural hunt — Snyk Log Sniffer: AI-Powered Audit Log Insights for Security Leaders Bespoke exploit · hunting DSP Article-specific behavioural hunt — Shai-Hulud: Self-Replicating Worm Compromises 500+ NPM Packages Bespoke exploit · hunting DSP Article-specific behavioural hunt — PlushDaemon compromises network devices for adversary-in-the-middle attacks Bespoke exploit · hunting DSP Article-specific behavioural hunt — Automated Package-Publication Incident IndonesianFoods in the NPM Ecosystem Link Bespoke exploit · hunting DSP [LLM] Execution / write of ESET APT Q2-Q3 2025 known-bad SHA256 payload Bespoke install · hunting DSΣPDDCS [LLM] Archive utility writing LNK/DLL/EXE to Windows Startup folder (RomCom CVE-2025-8088) Bespoke install · alerting DSΣP Article-specific behavioural hunt — Snyk Studio brings security scanning and automated fixes to Factory's Droids Bespoke install · hunting DSP Article-specific behavioural hunt — Gotta fly: Lazarus targets the UAV sector Bespoke exploit · hunting DSP [LLM] DreamJob trojanized PDF/installer execution from job-lure decoy folder Bespoke delivery · hunting DSΣPDDCS Article-specific behavioural hunt — Phishing Campaign Leveraging the NPM Ecosystem Bespoke exploit · hunting DSP Article-specific behavioural hunt — CISA KEV: CVE-2013-3918 — Microsoft Windows Out-of-Bounds Write Vulnerability Bespoke exploit · hunting DSP Article-specific behavioural hunt — CISA KEV: CVE-2011-3402 — Microsoft Windows Remote Code Execution Vulnerability Bespoke exploit · hunting DSP Article-specific behavioural hunt — Malicious MCP Server on npm postmark-mcp Harvests Emails Bespoke exploit · hunting DSP Article-specific behavioural hunt — s1ngularity: Popular Nx Build System Package Compromised with Data-Stealing Malw Bespoke exploit · hunting DSP Article-specific behavioural hunt — Zero-day Extensive NPM Package Compromise - Shai Hulud Supply Chain Attack Bespoke exploit · hunting DSP Article-specific behavioural hunt — npm Supply Chain Attack via Open Source maintainer compromise Bespoke exploit · hunting DSP Article-specific behavioural hunt — Weaponizing AI Coding Agents for Malware in the Nx Malicious Package Security In Bespoke exploit · hunting DSP Article-specific behavioural hunt — When 'Changed Files' Changed Everything: Our Black Hat 2025 Presentation on the Bespoke exploit · hunting DSP Article-specific behavioural hunt — Cursor IDE Malware Extension Compromise in $500k Crypto Heist Bespoke exploit · hunting DSP [LLM] Cursor IDE or VS Code spawning PowerShell/WScript from extensions folder (Solidity Language malware chain) Bespoke exploit · alerting DSΣPDDCS [LLM] Solidity Language Cursor extension known malicious SHA-256 hash present on disk or executed Bespoke weapon · hunting DSΣPDDCS Article-specific behavioural hunt — Security Testing for Single-Page Applications (SPAs) Bespoke exploit · hunting DSP Article-specific behavioural hunt — CVE-2025-29927 Authorization Bypass in Next.js Middleware Bespoke exploit · hunting DSP Article-specific behavioural hunt — Unburdening Developers From Vulnerability Fatigue with Snyk Delta Findings Bespoke exploit · hunting DSP Article-specific behavioural hunt — Reconstructing the TJ Actions Changed Files GitHub Actions Compromise Bespoke exploit · hunting DSP Article-specific behavioural hunt — Can Snyk Detect JWT Security Issues? Bespoke exploit · hunting DSP Article-specific behavioural hunt — Solving Security Challenges with Snyk Code and Symbolic AI Bespoke exploit · hunting DSP Article-specific behavioural hunt — CISA KEV: CVE-2022-23748 — Dante Discovery Process Control Vulnerability Bespoke exploit · hunting DSP Article-specific behavioural hunt — Creating SBOMs with the Snyk CLI Bespoke exploit · hunting DSP Article-specific behavioural hunt — CISA KEV: CVE-2024-55591 — Fortinet FortiOS and FortiProxy Authentication Bypass Bespoke exploit · hunting DSP Article-specific behavioural hunt — Ultralytics AI Pwn Request Supply Chain Attack Bespoke exploit · hunting DSP Article-specific behavioural hunt — Lottie Player npm package compromised for crypto wallet theft Bespoke exploit · hunting DSP Article-specific behavioural hunt — The mysterious supply chain concern of string-width-cjs npm package Bespoke exploit · hunting DSP Article-specific behavioural hunt — Proactive AppSec continuous vulnerability management for developers and security Bespoke exploit · hunting DSP Article-specific behavioural hunt — Promise queues and batching concurrent tasks in Deno Bespoke exploit · hunting DSP Article-specific behavioural hunt — Identifying insecure C Code with Valgrind and fixing with Snyk Code Bespoke install · hunting DSP Article-specific behavioural hunt — Want to avoid a data breach? Employ secrets detection Bespoke exploit · hunting DSP Article-specific behavioural hunt — CISA KEV: CVE-2024-7262 — Kingsoft WPS Office Path Traversal Vulnerability Bespoke exploit · hunting DSP Article-specific behavioural hunt — Vulnerabilities in NodeJS C/C++ add-on extensions Bespoke exploit · hunting DSP Article-specific behavioural hunt — A denial of service Regex breaks FastAPI security Bespoke exploit · hunting DSP Article-specific behavioural hunt — 10 Dimensions of Python Static Analysis Bespoke exploit · hunting DSP Article-specific behavioural hunt — Polyfill supply chain attack embeds malware in JavaScript CDN assets Bespoke exploit · hunting DSP Article-specific behavioural hunt — Finding and fixing exposed hardcoded secrets in your GitHub project with Snyk Bespoke exploit · hunting DSP Article-specific behavioural hunt — Essential Node.js backend examples for developers in 2024 Bespoke exploit · hunting DSP Article-specific behavioural hunt — 10 modern Node.js runtime features to start using in 2024 Bespoke exploit · hunting DSP Article-specific behavioural hunt — Fastify plugins as building blocks for a backend Node.js API Bespoke exploit · hunting DSP Article-specific behavioural hunt — Preventing broken access control in express Node.js applications Bespoke exploit · hunting DSP Article-specific behavioural hunt — Symmetric vs. asymmetric encryption: Practical Python examples Bespoke exploit · hunting DSP Article-specific behavioural hunt — Building an npm package compatible with ESM and CJS in 2024 Bespoke exploit · hunting DSP Article-specific behavioural hunt — Nine Docker pro tips for Node.js developers Bespoke exploit · hunting DSP Article-specific behavioural hunt — Exploiting HTTP/2 CONTINUATION frames for DoS attacks Bespoke exploit · hunting DSP Article-specific behavioural hunt — GitHub “besieged” by malware repositories and repo confusion: Why you'll be ok Bespoke exploit · hunting DSP Article-specific behavioural hunt — 5 Node.js security code snippets every backend developer should know Bespoke exploit · hunting DSP Article-specific behavioural hunt — Preventing server-side request forgery in Node.js applications Bespoke exploit · hunting DSP Article-specific behavioural hunt — Preventing SQL injection attacks in Node.js Bespoke exploit · hunting DSP Article-specific behavioural hunt — Understanding and mitigating the Jinja2 XSS vulnerability (CVE-2024-22195) Bespoke exploit · hunting DSP Article-specific behavioural hunt — Build and deploy a Node.js security scanning API to Platformatic Cloud Bespoke exploit · hunting DSP Article-specific behavioural hunt — Command injection in Python: examples and prevention Bespoke exploit · hunting DSP Article-specific behavioural hunt — Vulnerability disclosure: Which comes first, the security bug in PHP or the CVE? Bespoke exploit · hunting DSP Article-specific behavioural hunt — Code injection in Python: examples and prevention Bespoke install · hunting DSP Article-specific behavioural hunt — Snyk Fetch the Flag CTF 2023 writeup: Off the SETUID Bespoke exploit · hunting DSP Article-specific behavioural hunt — Snyk Fetch the Flag CTF 2023 writeup: Honey Baked Messages Bespoke exploit · hunting DSP Article-specific behavioural hunt — Exploring WebExtension security vulnerabilities in React Developer Tools and Vue Bespoke exploit · hunting DSP Article-specific behavioural hunt — File encryption in Python: An in-depth exploration of symmetric and asymmetric t Bespoke exploit · hunting DSP Article-specific behavioural hunt — Dependency injection in Python Bespoke exploit · hunting DSP Article-specific behavioural hunt — The art of conditional rendering: Tips and tricks for React and Next.js develope Bespoke exploit · hunting DSP Article-specific behavioural hunt — Weak Hash vulnerability discovered in crypto-js and crypto-es (CVE-2023-46233 & Bespoke exploit · hunting DSP Article-specific behavioural hunt — Installing and managing Java on macOS Bespoke exploit · hunting DSP Article-specific behavioural hunt — High severity vulnerability found in libcurl and curl (CVE-2023-38545) Bespoke install · hunting DSP Article-specific behavioural hunt — Modern VS Code extension development tutorial: Building a secure extension Bespoke exploit · hunting DSP Article-specific behavioural hunt — Security implications of cross-origin resource sharing (CORS) in Node.js Bespoke exploit · hunting DSP Article-specific behavioural hunt — A guide to input validation with Spring Boot Bespoke exploit · hunting DSP Article-specific behavioural hunt — Node.js vs. Deno vs. Bun: Performance & JavaScript Runtime Comparison Bespoke exploit · hunting DSP Article-specific behavioural hunt — Using JLink to create smaller Docker images for your Spring Boot Java applicatio Bespoke exploit · hunting DSP Article-specific behavioural hunt — What are AI hallucinations and why should developers care? Bespoke exploit · hunting DSP Article-specific behavioural hunt — Mitigating DOM clobbering attacks in JavaScript Bespoke exploit · hunting DSP Article-specific behavioural hunt — Implementing TLS in Kubernetes Bespoke exploit · hunting DSP Article-specific behavioural hunt — Finding and fixing insecure direct object references in Python Bespoke exploit · hunting DSP Article-specific behavioural hunt — Swift deserialization security primer Bespoke install · hunting DSP Article-specific behavioural hunt — XS leaks: What they are and how to avoid them Bespoke exploit · hunting DSP Article-specific behavioural hunt — Building a security-conscious CI/CD pipeline Bespoke exploit · hunting DSP Article-specific behavioural hunt — The importance of verifying webhook signatures Bespoke exploit · hunting DSP Article-specific behavioural hunt — Using insecure npm package manager defaults to steal your macOS keyboard shortcu Bespoke exploit · hunting DSP Article-specific behavioural hunt — The SecurityManager is getting removed in Java: What that means for you Bespoke install · hunting DSP

Articles citing this technique (308)

high FBI disrupts massive AI-powered phishing service using a million URLs art-01
med New Agentjacking Attack Hijacks Your AI Coding Agent to Run Code From a Hacker’s Server art-06
crit Chinese hackers hijack auth flow, spy on isolated network for a decade art-07
crit Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication art-09
crit 400+ AUR Packages Hijacked: What the “Atomic Arch” Campaign Means for Supply-Chain Security art-14
crit Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered art-15
high Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit art-17
high Google Sues Chinese Smishing Network Accused of Using Gemini AI in Phishing art-18
med Hackers Abuse Legitimate NinjaOne RMM Software to Bypass Traditional Malware Detection art-23
high Over 400 Arch Linux packages compromised to push rootkit, infostealer art-25
high Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code art-28
crit Rethinking MDR as Attackers and Defenders Embrace AI art-30
high INTERPOL Operation Takes Down Sniper Dz Phishing Platform, Arrests Administrator art-33
crit ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities art-37
high A tale of two eras art-40
high New Attacks Trick OpenClaw AI Agent Into Running Code and Leaking Secrets art-41
high Miasma and Hades Are Spreading Now: Detect Them on Developer Machines with Suspicious Files art-45
high npm v12 delivers one of the biggest security improvements in years art-46
crit [GHSA / CRITICAL] CVE-2026-48039: Meta Ads MCP: Unauthenticated HTTP MCP Tool Execution Leaks Operator Meta Access Token art-47
crit Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories art-48
crit OceanLotus Hits Vietnam Investors With SPECTRALVIPER in FireAnt Attack art-53
crit OceanLotus: From external espionage to domestic targeting art-54
high GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks art-55
crit Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs art-67
crit [GHSA / CRITICAL] CVE-2026-48030: Pheditor: OS Command Injection in terminal handler via unsanitized 'dir' parameter art-73
high Blinding the Watchmen: Abusing Cloud Logging Services for Defense Evasion and Visibility art-74
crit [GHSA / CRITICAL] CVE-2026-8467: PhoenixStorybook: Unauthenticated remote code execution via HEEx template injection in phoenix_storybook pl art-75
crit Miasma Worm Hits Microsoft Again: Azure Functions Action and 72 Other Repositories Disabled After Supply Chain Attack Targeting AI Coding Ag art-79
crit Microsoft Restores Some GitHub Repos, Keeps Others Offline as Miasma Probe Continues art-82
crit Wait, binding.gyp Can Do What? Exploring npm's Weirdest Build System art-85
crit WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine art-86
crit Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models art-87
crit New FROST Attack Lets Websites Track What Sites and Apps You Open via SSD Timing art-89
high Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer art-90
crit LiteLLM Flaw CVE-2026-42271 Exploited in the Wild, Chains to Unauthenticated RCE art-92
crit [GHSA / CRITICAL] CVE-2026-47252: Anyquery: AppleScript/JXA Code Injection via Unescaped URL in macOS Chrome Plugin art-97
high When “Hi, This Is IT” Comes Through Microsoft Teams art-98
crit [GHSA / CRITICAL] CVE-2026-45034: PHPSpreadsheet has a patch bypass for CVE-2026-34084 art-99
crit One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public art-100
crit Meta Blocks NSO Group's New WhatsApp Phishing Attack, Files Contempt Order art-101
crit AI brands as bait: How threat actors are using the AI hype in social engineering art-102
crit AI Phishing Is Crushing SOCs with Alert Volume: How to Reduce Tier 1 Overload art-103
crit VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances art-107
crit UNC3753 Used Vishing and Physical Intrusions in U.S. Data Theft Extortion Campaign art-108
high Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI art-114
crit [GHSA / CRITICAL] CVE-2026-47731: NASA AMMOS Instrument Toolkit: Path traversal resulting in arbitrary file append (can be triggered over th art-116
crit [GHSA / CRITICAL] CVE-2026-47670: Authenticated Remote Code Execution via loadReader functionName code injection in DbGate art-118
crit [GHSA / CRITICAL] CVE-2026-47669: DbGate: Zip Slip in archive/unzip allows arbitrary file write leading to RCE art-119
crit [GHSA / CRITICAL] CVE-2026-47668: DbGate: Unauthenticated Remote Code Execution via JSON Script Runner art-120
crit [GHSA / CRITICAL] CVE-2026-47708: MCP-for-Stata: Command injection via log_file_name parameter in Stata command wrapper art-122
crit [GHSA / CRITICAL] GHSA-jpvj-wpmj-h7rv: Supply chain compromise via malicious @cap-js/openapi art-123
crit [GHSA / CRITICAL] GHSA-8whc-2wmv-ww35: WWBN AVideo: Unauthenticated Stored DOM Cross-Site Scripting via Per-Client Metadata Broadcast in YPT art-125
high Reporting from Vegas: Networking, AI, and good boys art-126
crit Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp art-127
high Node-gyp Supply Chain Compromise: A Self-Propagating npm Worm That Hides in binding.gyp art-130
crit [GHSA / CRITICAL] CVE-2026-44182: Jupyter Enterprise Gateway: Kubernetes Manifest Injection in Jinja2 Template Rendering art-133
high Argamal: Malware hidden in hentai games art-137
crit Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign art-139
high Why EDR and proxy won’t save you from supply chain malware art-142
crit The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2) art-143
high Multiple redhat-cloud-services npm Packages compromised art-144
high Laravel-Lang Supply Chain Attack: Every Tag Across Multiple Composer Packages Rewritten to Steal CI Secrets art-145
high Nx Console VS Code Extension Compromised art-146
crit Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor art-150
crit [GHSA / CRITICAL] CVE-2026-47413: praisonai-platform: Any workspace member can add arbitrary user as owner via POST /workspaces/{id}/members art-155
crit [GHSA / CRITICAL] CVE-2026-47429: When Vitest UI server is listening, arbitrary file can be read and executed art-157
crit Containers on fire: from container escapes to supply chain attacks art-158
high Miasma supply chain attack: malicious code found in @redhat-cloud-services npm packages art-159
crit Malicious npm packages abuse dependency confusion to profile developer environments art-161
crit [GHSA / CRITICAL] CVE-2026-47416: praisonai-platform: Any workspace member can promote themselves or others to owner via PATCH /workspaces/{ art-162
crit [GHSA / CRITICAL] CVE-2026-47410: praisonai-platform: JWT signing key defaults to hardcoded "dev-secret-change-me", allowing token forgery f art-163
crit [GHSA / CRITICAL] CVE-2026-47407: PraisonAI Platform has a cross-workspace IDOR + member-role privilege escalation art-164
crit [GHSA / CRITICAL] CVE-2026-47391: PraisonAI's unauthenticated A2A official example can reach real LLM-driven `eval()` tool execution art-165
crit [GHSA / CRITICAL] CVE-2026-47392: PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subpro art-166
crit [GHSA / CRITICAL] CVE-2026-47393: PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default art-167
crit [GHSA / CRITICAL] CVE-2026-47140: NodeVM builtin denylist bypass via process and inspector/promises allows host code execution art-173
crit [GHSA / CRITICAL] CVE-2026-47210: vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass art-174
crit [GHSA / CRITICAL] CVE-2026-47137: vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE art-175
crit [GHSA / CRITICAL] CVE-2026-47131: vm2 has a Sandbox Escape issue art-177
crit What’s in the container? Analyzing vulnerabilities, risks and protection with Kaspersky Container Security and the KIRA AI assistant art-180
high Typosquatted npm packages used to steal cloud and CI/CD secrets art-183
high Less panic patching, more precision art-185
high What MDM can't protect on developer machines (and what to do about it) art-186
crit 2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface art-187
crit ESET APT Activity Report Q4 2025–Q1 2026 art-189
med Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years art-190
crit [GHSA / CRITICAL] CVE-2026-46621: Yamcs Vulnerable to Authenticated Remote Code Execution (RCE) via Jython Algorithm Code Injection art-191
crit [GHSA / CRITICAL] CVE-2026-46562: Yamcs Vulnerable to Remote Code Execution via Mission Database algorithm override art-192
crit Out of the Crypt: The Evolving Cyber Extortion Economy art-193
high Legitimate-Looking Codex Remote UI Secretly Steals Your AI Tokens art-194
crit [GHSA / CRITICAL] CVE-2026-45618: LiquidJS is Vulnerable to Remote Code Execution art-196
crit [GHSA / CRITICAL] CVE-2026-44632: Yamcs Vulnerable to Server-Side Code Injection (RCE) via Janino Expression Engine in `JavaExprAlgorithmExe art-202
crit BTMOB: A stealthy RAT burrowing deep into Android devices art-209
crit Laravel Lang Supply Chain Advisory art-211
high Supply Chain Attack Targets Laravel-Lang Packages with Credential Stealer art-212
high Megalodon: Mass GitHub Actions Secret Exfiltration Across 5,500+ Public Repositories art-215
crit [GHSA / CRITICAL] CVE-2026-46670: YesWiki: Unauthenticated SQL Injection art-216
crit Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns art-217
crit Paved With Intent: ROADtools and Nation-State Tactics in the Cloud art-218
crit Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload art-219
med Foul play: Fake FIFA websites target soccer fans looking for World Cup tickets, merchandise art-220
crit [GHSA / CRITICAL] CVE-2026-46703: Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host art-223
high The art of being ungovernable art-228
crit 5 Supply Chain Attacks in 48 Hours: Why Securing One Layer Is Not Enough art-230
high Dev Machine Guard Now Supports Linux art-234
crit The Wild West of VS Code extensions and how a poisoned extension breached GitHub art-236
crit Tracking TamperedChef Clusters via Certificate and Code Reuse art-237
high GitHub breached via a malicious VS Code extension: why developer devices are the real target art-238
crit Webworm: New burrowing techniques art-240
crit CISA KEV: CVE-2009-1537 — Microsoft DirectX NULL Byte Overwrite Vulnerability art-243
crit The AntV Supply Chain Campaign Expands: Microsoft's `durabletask` PyPI Package Compromised art-248
crit [GHSA / CRITICAL] CVE-2026-46339: 9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes art-251
high Microsoft's durabletask package on PyPi Compromised. Mini Shai Hulud attacks again... again! art-254
crit [GHSA / CRITICAL] CVE-2026-46395: HAXcms: Private Key Disclosure via Broken HMAC Implementation art-261
crit [GHSA / CRITICAL] CVE-2026-45721: Algernon: handler.lua discovery walks parent directories above the server root art-262
crit Mini Shai-Hulud strikes again: npm worm compromises hundreds of @antv packages art-267
med actions-cool/issues-helper GitHub Action Compromised: All Tags Point to Imposter Commit That Exfiltrates CI/CD Credentials art-268
crit Active Supply Chain Attack: Malicious node-ipc Versions Published to npm art-269
crit [GHSA / CRITICAL] GHSA-wx9m-wx4f-4cmg: Malicious dropper in mistralai 2.4.6 PyPI package art-272
crit IT threat evolution in Q1 2026. Mobile statistics art-278
high Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files art-281
crit Malicious node-ipc versions published to npm in suspected maintainer account compromise art-284
crit [GHSA / CRITICAL] CVE-2026-45369: utcp-cli Vulnerable to Command Injection via Unsanitized Argument Substitution in CLI Communication Protoc art-288
crit [GHSA / CRITICAL] CVE-2026-45374: DeepSeek TUI: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files art-292
crit [GHSA / CRITICAL] CVE-2026-45311: DeepSeek TUI: run_tests Tool Enables RCE via Malicious Repository Without Approval art-293
crit [GHSA / CRITICAL] CVE-2026-44990: Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html` art-295
high The time of much patching is coming art-296
crit Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities art-302
crit [GHSA / CRITICAL] CVE-2026-46442: FlowiseAI: Authenticated Host RCE via POST /api/v1/node-custom-function and NodeVM Sandbox Escape art-304
crit Kimsuky targets organizations with PebbleDash-based tools art-308
crit FrostyNeighbor: Fresh mischief and digital shenanigans art-309
crit Mini Shai-Hulud Is Back: npm Worm Hits over 160 Packages, including Mistral and Tanstack art-315
crit Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools art-316
crit PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale art-322
crit Fake call logs, real payments: How CallPhantom tricks Android users art-323
crit Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution art-325
crit A rigged game: ScarCruft compromises gaming platform in a supply-chain attack art-332
crit Shai-Hulud Worm Pivots to Multi-Cloud: intercom-client@7.0.4 Hijacked — 361,000 Weekly Downloads, AWS, GCP, and Azure Credentials Now in Sco art-333
high elementary-data Compromised on PyPI and GHCR: Forged Release Pushed via GitHub Actions Script Injection art-334
crit Bitwarden CLI Hijacked on npm: Bun-Staged Credential Stealer Targets Developers, GitHub Actions, and AI Tools art-335
crit CanisterSprawl: pgserve Compromised on npm: Malicious Versions Harvest Credentials and Exfiltrate to a Decentralized ICP Canister art-336
high Popular PyTorch Lightning Package Compromised by Mini Shai-Hulud art-339
crit lightning PyPI Compromise: A Bun-Based Credential Stealer in Python art-343
crit Mini Shai-Hulud Targets SAP npm Packages With a Bun-Based Secret Stealer art-345
high Someone published four versions of a fake "tanstack" package in 27 minutes to steal your .env files art-346
med Bridging the Gap to Autonomous Fixes: Snyk and Atlassian Unveil Intelligent Remediation for Jira art-347
high "A Mini Shai-Hulud Has Appeared": Bun-Based Stealer Hits SAP @cap-js and mbt npm Packages art-348
high Malicious Release of elementary-data PyPI Package Steals Cloud Credentials from Data Engineers art-352
high Qinglong task scheduler RCE vulnerabilities exploited in the wild for cryptomining art-353
high It's time to treat browser extensions like supply chain attack vectors art-354
high Is Shai-Hulud Back? Compromised Bitwarden CLI Contains a Self-Propagating npm Worm art-361
crit GopherWhisper: A burrow full of malware art-362
high GPT-Proxy Backdoor in npm and PyPI turns Servers into Chinese LLM Relays art-367
crit New NGate variant hides in a trojanized NFC payment app art-369
high Multiple Cross-Site Scripting (XSS) Vulnerabilities in Mailcow art-379
high @velora-dex/sdk Compromised on npm: Malicious Version Drops macOS Backdoor via launchctl Persistence art-399
crit axios Compromised on npm - Malicious Versions Drop Remote Access Trojan art-401
high hackerbot-claw: An AI-Powered Bot Actively Exploiting GitHub Actions - Microsoft, DataDog, and CNCF Projects Hit So Far art-403
crit Cline Supply Chain Attack Detected: cline@2.3.0 Silently Installs OpenClaw art-404
high GlassWorm goes native: New Zig dropper infects every IDE on your machine art-405
high As breakout time accelerates, prevention-first cybersecurity takes center stage art-408
high Axios npm Package Compromised: Supply Chain Attack Delivers Cross-Platform RAT art-420
high axios compromised on npm: maintainer account hijacked, RAT deployed art-421
crit litellm: Credential Stealer Hidden in PyPI Wheel art-423
high A cunning predator: How Silver Fox preys on Japanese firms this tax season art-426
high Checkmarx KICS GitHub Action Compromised: Malware Injected in All Git Tags art-428
high CanisterWorm: How a Self-Propagating npm Worm Is Spreading Backdoors Across the Ecosystem art-429
high Trivy Compromised a Second Time - Malicious v0.69.4 Release, aquasecurity/setup-trivy, aquasecurity/trivy-action GitHub Actions Compromised art-430
crit bittensor-wallet 4.0.2 Compromised on PyPI - Backdoor Exfiltrates Private Keys art-431
high Malicious npm Releases Found in Popular React Native Packages - 130K+ Monthly Downloads Compromised art-432
crit Malicious Polymarket Bot Hides in Hijacked dev-protocol GitHub Org and Steals Wallet Keys art-433
crit ForceMemo: Hundreds of GitHub Python Repos Compromised via Account Takeover and Force-Push art-434
high xygeni-action Compromised: C2 Reverse Shell Backdoor Injected via Tag Poisoning art-435
crit How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM art-443
high CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran art-444
high TeamPCP deploys CanisterWorm on NPM following Trivy compromise art-445
crit EDR killers explained: Beyond the drivers art-455
crit GlassWorm Hides a RAT Inside a Malicious Chrome Extension art-458
crit fast-draft Open VSX Extension Compromised by BlokTrooper art-459
crit Securing the Agent Skills Registry: How Snyk and Tessl Are Setting the Standard art-465
high DRILLAPP: new backdoor targeting Ukrainian entities with possible links to Laundry Bear art-470
crit Cyber fallout from the Iran war: What to have on your radar art-474
high kubernetes-el Compromised: How a Pwn Request Exploited a Popular Emacs Package art-475
crit Sednit reloaded: Back in the trenches art-477
crit Protecting education: How MDR can tip the balance in favor of schools art-491
med The 89% Problem: How LLMs Are Resurrecting the "Dormant Majority" of Open Source art-492
crit Persistent XSS/RCE using WebSockets in Storybook’s dev server art-494
med Harden Runner Now Supports Windows and macOS GitHub Actions Runners art-500
crit PlugX Meeting Invitation via MSBuild and GDATA art-503
crit SvelteSpill: A Cache Deception Bug in SvelteKit + Vercel art-518
med Aikido recognized as Platform Leader in Latio Tech's 2026 Application Security Report art-526
med Securing the Agent Skill Ecosystem: How Snyk and Vercel Are Locking Down the New Software Supply Chain art-529
high From detection to prevention: How Zen stops IDOR vulnerabilities at runtime art-534
high npm backdoor lets hackers hijack gambling outcomes art-535
high 20+ Popular NPM Packages Compromised (Chalk, Debug, Strip-ANSI, Color-Convert, Wrap-ANSI...) art-537
crit Operation MacroMaze: new APT28 campaign using basic tooling and legit infrastructure art-542
crit Naming and shaming: How ransomware groups tighten the screws on victims art-544
high Exploitability Isn’t the Answer. Breakability Is. art-546
crit Another npm Supply Chain Attack: The 'is' Package Compromise art-554
crit How a Malicious Google Skill on ClawHub Tricks Users Into Installing Malware art-564
crit Snyk Finds Prompt Injection in 36%, 1467 Malicious Payloads in a ToxicSkills Study of Agent Skills Supply Chain Compromise art-574
high npx Confusion: Packages That Forgot to Claim Their Own Name art-578
crit DynoWiper update: Technical analysis and attribution art-590
high Fake Clawdbot VS Code Extension Installs ScreenConnect RAT art-594
high ESET Research: Sandworm behind cyberattack on Poland’s power grid in late 2025 art-603
high Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages art-605
crit Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT art-608
crit CISA KEV: CVE-2025-54313 — Prettier eslint-config-prettier Embedded Malicious Code Vulnerability art-614
high Revisiting CVE-2025-50165: A critical flaw in Windows Imaging Component art-638
crit LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan art-642
crit ESET Threat Report H2 2025 art-647
high Critical Remote Code Execution Vulnerabilities Discovered in React Server Components and Next.js art-651
high How Harden Runner Detected the Sha1-Hulud Supply Chain Attack in CNCF's Backstage Repository art-652
high Sha1-Hulud: The Second Coming - Zapier, ENS Domains, and Other Prominent NPM Packages Compromised art-653
crit Supply Chain Security Alert: eslint-config-prettier Package Shows Signs of Compromise art-654
high Security Advisory: Critical RCE Vulnerabilities in React Server Components (CVE-2025-55182) art-673
med Run AutoMCP To Supercharge Your AI Agent with Libraries MCP Servers art-674
med MuddyWater: Snakes by the riverbank art-676
high Snyk Log Sniffer: AI-Powered Audit Log Insights for Security Leaders art-684
high SHA1-Hulud, npm supply chain incident art-686
crit Shai-Hulud: Self-Replicating Worm Compromises 500+ NPM Packages art-690
med Why Threat Modeling Is Now Even More Critical for AI-Native Applications art-694
crit PlushDaemon compromises network devices for adversary-in-the-middle attacks art-695
high Automated Package-Publication Incident IndonesianFoods in the NPM Ecosystem Linked to Crypto Reward-Farming Scam art-704
crit The who, where, and how of APT attacks in Q2 2025–Q3 2025 art-714
crit ESET APT Activity Report Q2 2025–Q3 2025 art-715
low Snyk Studio brings security scanning and automated fixes to Factory's Droids art-717
crit Gotta fly: Lazarus targets the UAV sector art-734
crit SnakeStealer: How it preys on personal data – and how you can protect yourself art-736
crit Phishing Campaign Leveraging the NPM Ecosystem art-754
crit CISA KEV: CVE-2013-3918 — Microsoft Windows Out-of-Bounds Write Vulnerability art-761
crit CISA KEV: CVE-2011-3402 — Microsoft Windows Remote Code Execution Vulnerability art-762
high Malicious MCP Server on npm postmark-mcp Harvests Emails art-776
crit s1ngularity: Popular Nx Build System Package Compromised with Data-Stealing Malware art-778
high Zero-day Extensive NPM Package Compromise - Shai Hulud Supply Chain Attack art-789
high npm Supply Chain Attack via Open Source maintainer compromise art-794
high Weaponizing AI Coding Agents for Malware in the Nx Malicious Package Security Incident art-806
crit When 'Changed Files' Changed Everything: Our Black Hat 2025 Presentation on the tj-actions Supply Chain Breach art-815
high Snyk Joins CISA's Secure by Design Pledge art-828
crit Maintainers of ESLint Prettier Plugin Attacked via npm Supply Chain Malware art-837
high Cursor IDE Malware Extension Compromise in $500k Crypto Heist art-842
med Security Testing for Single-Page Applications (SPAs) art-898
high CVE-2025-29927 Authorization Bypass in Next.js Middleware art-948
med Unburdening Developers From Vulnerability Fatigue with Snyk Delta Findings art-954
crit Reconstructing the TJ Actions Changed Files GitHub Actions Compromise art-957
med Can Snyk Detect JWT Security Issues? art-976
med Solving Security Challenges with Snyk Code and Symbolic AI art-985
crit CISA KEV: CVE-2022-23748 — Dante Discovery Process Control Vulnerability art-1011
med Creating SBOMs with the Snyk CLI art-1013
crit CISA KEV: CVE-2024-55591 — Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability art-1032
high Ultralytics AI Pwn Request Supply Chain Attack art-1055
high Lottie Player npm package compromised for crypto wallet theft art-1096
high The mysterious supply chain concern of string-width-cjs npm package art-1125
med Proactive AppSec continuous vulnerability management for developers and security teams art-1127
med Promise queues and batching concurrent tasks in Deno art-1136
high Identifying insecure C Code with Valgrind and fixing with Snyk Code art-1137
high Want to avoid a data breach? Employ secrets detection art-1150
crit CISA KEV: CVE-2024-7262 — Kingsoft WPS Office Path Traversal Vulnerability art-1163
med Vulnerabilities in NodeJS C/C++ add-on extensions art-1181
crit A denial of service Regex breaks FastAPI security art-1195
med 10 Dimensions of Python Static Analysis art-1205
crit Polyfill supply chain attack embeds malware in JavaScript CDN assets art-1218
med Finding and fixing exposed hardcoded secrets in your GitHub project with Snyk art-1222
high Essential Node.js backend examples for developers in 2024 art-1233
med 10 modern Node.js runtime features to start using in 2024 art-1241
med Fastify plugins as building blocks for a backend Node.js API art-1242
med Preventing broken access control in express Node.js applications art-1243
med Symmetric vs. asymmetric encryption: Practical Python examples art-1246
high Building an npm package compatible with ESM and CJS in 2024 art-1258
high Nine Docker pro tips for Node.js developers art-1263
high Exploiting HTTP/2 CONTINUATION frames for DoS attacks art-1265
high GitHub “besieged” by malware repositories and repo confusion: Why you'll be ok art-1272
crit Snyk Learn and the NIST Cybersecurity Framework (CSF) art-1274
high Defense in Depth art-1278
med 5 Node.js security code snippets every backend developer should know art-1280
high Preventing server-side request forgery in Node.js applications art-1283
high Preventing SQL injection attacks in Node.js art-1284
crit New Year's security resolutions for 2024 from Snyk DevRel, SecRel, and friends art-1294
high Understanding and mitigating the Jinja2 XSS vulnerability (CVE-2024-22195) art-1295
med Build and deploy a Node.js security scanning API to Platformatic Cloud art-1299
med Command injection in Python: examples and prevention art-1304
crit Vulnerability disclosure: Which comes first, the security bug in PHP or the CVE? art-1306
med Code injection in Python: examples and prevention art-1314
med Snyk Fetch the Flag CTF 2023 writeup: Off the SETUID art-1319
low Snyk Fetch the Flag CTF 2023 writeup: Honey Baked Messages art-1320
crit Exploring WebExtension security vulnerabilities in React Developer Tools and Vue.js devtools art-1328
med File encryption in Python: An in-depth exploration of symmetric and asymmetric techniques art-1329
high Dependency injection in Python art-1346
high The art of conditional rendering: Tips and tricks for React and Next.js developers art-1348
crit Weak Hash vulnerability discovered in crypto-js and crypto-es (CVE-2023-46233 & CVE-2023-46133) art-1349
med Installing and managing Java on macOS art-1359
high Cybersecurity Venture’s 2023 Software Supply Chain Attack Report art-1362
high High severity vulnerability found in libcurl and curl (CVE-2023-38545) art-1365
high Modern VS Code extension development tutorial: Building a secure extension art-1369
high Security implications of cross-origin resource sharing (CORS) in Node.js art-1378
high A guide to input validation with Spring Boot art-1380
med Node.js vs. Deno vs. Bun: Performance & JavaScript Runtime Comparison art-1384
med Using JLink to create smaller Docker images for your Spring Boot Java application art-1390
high What are AI hallucinations and why should developers care? art-1395
med Mitigating DOM clobbering attacks in JavaScript art-1403
med Implementing TLS in Kubernetes art-1409
high Finding and fixing insecure direct object references in Python art-1416
med Swift deserialization security primer art-1417
high XS leaks: What they are and how to avoid them art-1419
med Building a security-conscious CI/CD pipeline art-1423
high The importance of verifying webhook signatures art-1424
high Using insecure npm package manager defaults to steal your macOS keyboard shortcuts art-1425
high The SecurityManager is getting removed in Java: What that means for you art-1435