Two different attackers poisoned popular open source tools - and showed us the future of supply chain compromise

FEATURE Two supply chain attacks in March infected open source tools with malware and used this access to steal secrets from ...

'This creates a layered form of obfuscation': New report says criminals are using emojis to avoid detection

Security analysts aren't scanning the dark web for emojis, allowing criminals to share messages wiithout being spotted.

The invisible threat hidden in clear view: how Unicode characters are being weaponized to hide malicious commands from human users

Research from BeyondTrust Phantom Labs found the vulnerability stems from improper input sanitization in how Codex processed ...
CSO Online

Attackers trojanize Axios HTTP library in highest-impact npm supply chain attack

With almost 175,000 npm projects listing the library as a dependency, the attack had a huge cascade effect and shows how quickly a compromised package can propagate through the ecosystem.

Supply chain blast: Top npm package backdoored to drop dirty RAT on dev machines

Updated: Hijacked maintainer account let attackers slip cross-platform trojan into 100M-downloads-a-week Axios ...
The Hacker News

DeepLoad Malware Uses ClickFix and WMI Persistence to Steal Browser Credentials

DeepLoad exploits ClickFix and WMI persistence to steal credentials, enabling stealth reinfection after three days.