Malicious code in @antv/chart-node-g6 (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Malicious code in forge-jsx (npm)

forge-jsx is a malicious npm package that impersonates an Autodesk Forge SDK. It was published as a fully-formed RAT from its first version on April 7, 2026. Installing the package on any non-CI machine deploys a persistent background agent that captures all keystrokes, monitors clipboard content...

Troll-Exploit

TrollStore TrollStore is a permasigned jailed app that can pe...

New Backdoor Auto-color Linux Targets Systems in US and Asia

Auto-color: New Linux backdoor malware targeting the US and Asia. Learn about its advanced evasion, persistence, and detection…...

frood, an Alpine initramfs NAS

My NAS, frood, has a bit of a weird setup. It’s just one big initramfs containing a whole Alpine Linux system. It’s delightful and I am not sure why it’s not more common. As long as the bootloader can find the kernel and initramfs, the machine comes up cleanly. A/B deployments and rollbacks are...

Lightning Framework, modular Linux malware

Researchers at Intezer have published a technical analysis of Lightning Framework, a previously undocumented and undetected Linux threat. Lightning is a modular framework that is very versatile and something we don’t see very often in the Linux space. The old argument that Linux systems or Macs f...

CVE-2021-39689

In multiple functions of odsignmain.cpp, there is a possible way to persist system attack due to a logic error in the code. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions:...