Tomislav Pericin

🚨Versions 2.6.2 and 2.6.3 of the PyPI package "lightning" are compromised. RL research note: It is the same type of #Shaihulud malware as in recent Bitwarden and SAP compromises.

It looks like #TeamPCP has again compromised @Checkmarx #VSCode extensions and @Docker images. Newly published VSCode extensions checkmarx.cx-dev-assist (1.17.0 & 1.19.0) and checkmarx.ast-results (2.63.0 & 2.66.0) contain malicious code.

🚨 RL Research Alert! Look out for the compromised versions 1.14.1 and 0.30.4 of axios npm package with almost 11 billion downloads. secure.software/npm/packages/a…

Look out for compromised versions 4.87.1 and 4.87.2 of telnyx PyPI package with more than 3.75 million downloads. secure.software/pypi/packages/…

👁️ Be on the look out for compromised versions 1.82.7 and 1.82.8 of the "litellm" PyPI package, which has more than 479 million downloads 🧵👇 secure.software/pypi/packages/…

Look out for compromised version of Checkmarx ast-results OpenVSX extension open-vsx.org/extension/chec…

🚨 RL researchers occasionally come across interesting techniques used by malware in the wild. One such campaign consisting of 10 packages uses @github gists as a host for the second-stage payload. @cloudsop/hmoment" target="_blank" rel="nofollow noopener">secure.software/npm/packages/@…

🚨 RL researchers have discovered a new malicious package on #nuget that is imitating @stripe — a popular payment service. secure.software/nuget/packages…

⚠️ RL #ThreatResearch: A new branch of a fake job recruitment campaign by the NK Lazarus Group, dubbed "graphalgo," is targeting #Javascript & #Python devs with a remote access trojan (RAT). 👇 hubs.ly/Q042HLPR0

📆 Happening this Wednesday: Get a live, inside-look into the 2026 #SoftwareSupplyChainSecurity Report w/ @paulfroberts, @ap0x & Charlie Jones ➡️ hubs.ly/Q041S_kw0 #AppSec #CISO #DevSecOps

⚠️🧵RL researchers have discovered a malicious #VSCode extension with over 12K installs that has been dormant since December, but now ships a malicious version: secure.software/vscode/package…

@hmier @ReversingLabs None that I can find. Are you sure that you're looking at the same package name and version in our table?

@ReversingLabs FYI your list of compromised NPM packages has several duplicates securityweek.com/640-npm-packag…

👀Blog with full details & more updates can be found here: reversinglabs.com/blog/another-s… #npm #OSS #SoftwareSupplyChainSecurity #Shaihulud @ap0x

@ReversingLabs This new worm variant includes wiper functionality. Shai-hulud permanently destroy all data in the user's home directory making it unrecoverable. It overwrites the free space where the deleted files used to be. Ensuring that data recovery software cannot restore the files.

@ReversingLabs Just like with the first wave, automated dependency management tools (like DependaBot) are creating pull requests that are helping the worm spread.

RL automated threat detection systems are detecting the new wave of Shai-Hulud npm packages. Look out for the TH15502 policy violation in our Spectra Assure Community. Here is an example of a compromised package: @asyncapi/specs/6.9.1" target="_blank" rel="nofollow noopener">secure.software/npm/packages/@… - More info to follow from @ReversingLabs

After detecting & mitigating multiple supply chain attacks targeting #OSS the past few weeks, RL co-founder & CSA @ap0x had a gut reaction: "Something has to change, because we can’t keep doing this every week." #npm #GitHub bit.ly/426pOAC

⚠️ RL researchers have found another package compromised on day 3 of the ongoing #npm #phishing campaign. It hides the obfuscated payload in the middle of an already large index.js file.👇 bit.ly/42mEyLu

⚠️🧵 RL researches have detected a supply chain attack in an #npm package with a total download count of over 2 million: secure.software/npm/packages/i… #OSS #Dev