operations6

Hackers are actively exploiting a bug in cPanel, used by millions of websites techcrunch.com/2026/04/30/hac…

A new npm supply-chain compromise is targeting SAP developer workflows. Mini Shai-Hulud follows a familiar pattern, but with a smaller package set and a serious secret-stealing payload built to hit developer machines and CI/CD environments. Affected packages we’re tracking: - cap-js/sqlite v2.2.2 - cap-js/postgres v2.2.2 - cap-js/db-service v2.10.1 - mbt v1.2.48 If any of these touched your environment, rotate secrets and review GitHub, npm, cloud, and CI activity.

🚨 Supply chain attack: SAP CAP and Cloud MTA npm packages compromised to download and execute unverified binaries. Affected versions: → mbt@1.2.48 → ＠cap-js/db-service@2.10.1 → ＠cap-js/postgres@2.2.2 → ＠cap-js/sqlite@2.2.2 Developers using these packages should review lockfiles and CI/CD logs for installs during the exposure window. ＠cap-js/sqlite@2.2.2 has already been unpublished.

Researchers sent the same resume to an AI hiring tool twice. Same qualifications. Same experience. Same skills. One version was written by a real human. The other was rewritten by ChatGPT. The AI picked the ChatGPT version 97.6% of the time. A team from the University of Maryland, the National University of Singapore, and Ohio State just published the receipt. They took 2,245 real human-written resumes pulled from a professional resume site from before ChatGPT existed, so the human writing was actually human. Then they had seven of the most-used AI models in the world rewrite each one. GPT-4o. GPT-4o-mini. GPT-4-turbo. LLaMA 3.3-70B. Qwen 2.5-72B. DeepSeek-V3. Mistral-7B. Then they asked each AI to pick the better resume. Every model picked itself. GPT-4o hit 97.6%. LLaMA-3.3-70B hit 96.3%. Qwen-2.5-72B hit 95.9%. DeepSeek-V3 hit 95.5%. The real human almost never won. Then the researchers tried the obvious objection. Maybe the AI is just better at writing. So they had real humans grade the resumes for actual quality and ran the experiment again, controlling for it. The result was worse. Each AI kept picking itself even when human judges rated the human-written version as clearer, more coherent, and more effective. It gets worse. The AIs do not just prefer AI over humans. They prefer themselves over other AIs. DeepSeek-V3 picked its own resumes 69% more often than LLaMA's. GPT-4o picked its own 45% more often than LLaMA's. Each model can recognize and reward its own dialect. Then the researchers ran the simulation that ends careers. Same job. 24 occupations. Same qualifications. The only variable was whether the candidate used the same AI as the screening tool. Candidates using that AI were 23% to 60% more likely to be shortlisted. Worst gap was in sales, accounting, and finance. 99% of large companies now run AI on incoming resumes. Most of them use GPT-4o. The paper just proved GPT-4o picks GPT-4o 97.6% of the time. If you wrote your own cover letter this week, you did not lose to a better candidate. You lost to a worse candidate who paid OpenAI 20 dollars. Your qualifications do not matter if the AI prefers its own handwriting over yours.

🚨 MCP FAILURE: 10+ CRITICAL CVEs 🚨 The Mother of All AI Supply Chains: Anthropic’s "By Design" failure at the heart of the AI ecosystem. The OX Security Research Team found, exploited, reported and conducted a full responsible disclosure for 30+ open source projects, coding agents, and live servers. LangFlow - PWNED LiteLLM - PWNED Flowise - PWNED DocsGPT - PWNED (PRODUCTION SERVER) Upsonic - PWNED GPT-Researcher - PWNED LettaAI - PWNED (PRODUCTION SERVER) WindSurf - PWNED LangChain ChatChat - PWNED Agent Zero - PWNED Jaaz - PWNED BISHENG - PWNED (PRODUCTION SERVER) OpenHands - PWNED PromptFoo - PWNED And many, many more... PWNED. Read the full blog, advisory, technical deep dive & ebook on our OX Security website: Main blog: ox.security/blog/the-mothe… Advisory: ox.security/blog/mcp-suppl… Deep dive & case studies: ox.security/the-mother-of-… Full research ebook download page: ox.security/resource-categ…

🚩New Axios Vulnerability Exposes Apps to Remote Code Execution cyberpress.org/axios-vulnerab… Unfortunately, Axios is in the news again. A critical flaw (CVE-2026-40175) enables remote code execution and full cloud compromise. Attackers can chain prototype pollution, SSRF, and request smuggling to bypass AWS IMDSv2 and steal credentials. A public PoC is already available, increasing risk. Just two weeks after the Axios npm compromise, another critical issue emerges. If you rely on Axios, patching and dependency auditing should be a priority. #Infosec #ThreatHunting #CyberSecurity

Chainguard's CEO published a post this week arguing that scanners are "working against an adversary that's already beaten them" and that "the Axios attack was pulled hundreds of thousands of times before a single scanner flagged it." This is factually incorrect. Here's the timeline, all publicly verifiable: plain-crypto-js@4.2.1, the malicious payload, was published to npm on March 30 at 23:59 UTC. @SocketSecurity AI flagged it as malicious at 00:05 UTC. Six minutes. The first compromised Axios version wasn't published until 00:21 UTC, 16 minutes after we'd already flagged the attack. All this version did was add a dependency on the package we'd already caught. Socket customers with AI malware blocking enabled had installs blocked automatically during the entire three-hour exposure window. No CVE required. No luck required. This was independently corroborated by Snyk, Huntress, Orca Security, and InfoQ each of whom published their own analyses of the attack. Calling scanning "theater" while getting the facts of the year's biggest scanning success story wrong doesn't strengthen the argument. Scanners and hardened images aren't competing answers. They're complementary layers. The industry needs both. I agree with part of the post's broader argument. The trust model for open source consumption needs work. I've been maintaining npm packages with billions of cumulative downloads for over a decade. I know what's broken. But you don't fix the trust model by dismissing the defenders who are actually catching attacks and protecting the community. When we catch a malicious package, we report it to the registry and get it taken down. That protects every developer, not just our customers. Their proposed alternative, rebuilding packages from source, doesn't address the attacks that actually matter. The Axios attack was a maintainer account compromise that poisoned the source. xz-utils was a malicious maintainer who spent two years building trust and poisoned the source. Building from source just rebuilds these attacks faithfully. The most consequential supply chain attacks walk right through this model. Building from source doesn't stop bad source. And you don't fix this problem by declaring open source dead while your company's entire product is built on top of it. A Harvard study estimated the demand-side value of widely used open source at $8.8 trillion. The people maintaining that infrastructure are mostly unpaid. When they get targeted by nation-state actors, the answer should be to fund, support, and protect them, not warn enterprises away from their packages so you can sell a replacement. Open source is under attack because of how much value it creates. That's an argument for investing in it, not writing its obituary. Back to building.

Technical report released: The AI-Assisted Breach of Mexico’s Government Infrastructure gambit.security/blog-post/a-si…

North Korea is targeting npm maintainers -- not for crypto, but for write access to packages downloaded trillions of times a year. Several Socket engineers were targeted in this campaign -- myself, @ljharb, @jdalton, and others. None of us fell for the bait. Unfortunately, the axios maintainer did. No shame in that -- these aren't phishing emails. They're weeks-long ops with fake companies, fake Slack workspaces, and spoofed meeting platforms built with realistic Zoom/Teams interfaces using the official SDKs for realism. Other confirmed targets: @matteocollina (Fastify, Pino, Undici, Node.js TSC Chair), @wesleytodd (Express TC), @voxpelli (mocha, neostandard). The common thread? High-trust maintainers with publish access to packages that sit deep in everyone's dependency tree. The attack chain: build rapport over weeks, schedule a video call, fake an audio error, prompt the target to install a "fix." That fix is a RAT. Once it's on your machine, they have your .npmrc tokens, browser sessions, AWS creds, keychain. 2FA doesn't matter. OIDC publishing doesn't matter. Game over. Security researcher @tayvano_ linked this to UNC1069, a DPRK-nexus group Mandiant has tracked since 2018. Why social engineer one rich person when you can compromise one maintainer and reach millions of machines? This is the threat model now. If you maintain popular packages, act accordingly. If you use open source (and you certainly do), act accordingly. Full writeup: socket.dev/blog/attackers…

Looks like "someone" is experimenting with the payload seen in axios supply chain attack. Likely as dependency injection target for future attacks. Just came across mgc@1.2.1 through 1.2.4 (npm), which has a payload very similar to what we saw in axios attack. Kill chain: - Stage-1: setup.cjs dropper detects OS - macOS: drops binary to /Library/Caches/com.apple.act.mond - Windows: PowerShell RAT + registry persistence (MicrosoftUpdate Run key) - Linux: Python RAT at /tmp/ld.py in infinite loop IOC: - C2: admondtamang[.]com[.]np/gate - Gist: gist[.]github[.]com/admondtamang/814132e794e5d007e9b8ebd223a9494f - macOS path: /Library/Caches/com.apple.act.mond - Windows: %PROGRAMDATA%\system.bat, %PROGRAMDATA%\wt.exe - Registry: HKCU:\...\Run\MicrosoftUpdate - Linux: /tmp/ld.py - UA: mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0) Same C2 protocol as Axios attack (March 31): - Identical peinject/runscript/rundir/kill command set - Same packages.npm.org/product{0,1} platform tracking - Same .NET Extension.SubRoutine.Run2 injection on Windows - Same com.apple.act.mond macOS path

How Axios was compromised 🤯

anyone that could assist with a contact at github? would really appreciate it

🚨 NPM axios Supply Chain Attack 🚨 x.com/i/broadcasts/1…

Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account thehackernews.com/2026/03/axios-…

🚨 RL Research Alert! Look out for the compromised versions 1.14.1 and 0.30.4 of axios npm package with almost 11 billion downloads. secure.software/npm/packages/a…

The compromise spread to PyPI and NuGet ecosystem through usage of JSII modules inside versions 0.0.194 of the jjrawlins-cdk-iam-policy-builder-helper packages. Packages depend on compromised versions of axios npm package. secure.software/pypi/packages/… secure.software/nuget/packages…

🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.

🚨 Active supply chain attack on axios@1.14.1. The latest version pulls in plain-crypto-js@4.2.1 -- a brand-new package that didn't exist before today. Socket's AI analysis flags it as a malicious obfuscated dropper: runtime deobfuscation, dynamic execSync loading, payload staging to temp/ProgramData directories, and post-execution artifact deletion. Consistent with supply chain malware. We're still investigating. If you use axios, pin your version and audit your lockfile.

You trust login[.]microsoftonline[.]com. So does your email gateway. Attackers know this — and they're using Microsoft's OAuth redirect to send victims from that trusted domain straight to credential harvesting pages. No vulnerability. Just a feature doing exactly what it's told. How: attackers register a multi-tenant Azure OAuth app with a malicious reply URL, then craft an /authorize request with prompt=none. When auth fails silently, Microsoft's JS fires the urlAppError handler and redirects the browser to the attacker's domain. The entire redirect originates from Microsoft's infrastructure. This bypasses URL filters that whitelist Microsoft login domains. Victims see a legitimate address bar the whole time. Lures typically pose as DocuSign, Adobe Acrobat Sign, or "sharing link violation" alerts. Redirect chain ITW: login[.]microsoftonline[.]com/common/oauth2/v2.0/authorize?client_id=... → securedoc9a09b4dfda82e3e[.]rentawareinc[.]com (302) → pub-ac3265049b9b4c1ebf987170df4fcce0[.]r2[.]dev (phishing page) @Microsoft wrote about OAuth redirect abuse here: microsoft.com/en-us/security… #phishing #OAuth #Microsoft

I’m excited to let you know that the talks from [un]prompted—the AI Security Practitioner Conference—are now live on YouTube. No fluff, no hype—just real-world AI security from people actually doing the work. youtube.com/playlist?list=…