#worm — Public Fediverse posts

Inside a Tor Backed Supply Chain Worm

Pulse ID: 6a1283dfd67e65f70f376aab
Pulse Link: https://otx.alienvault.com/pulse/6a1283dfd67e65f70f376aab
Pulse Author: Tr1sa111
Created: 2026-05-24 04:51:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #SupplyChain #Worm #bot #Tr1sa111

Snake-like jumping worms are tearing through gardens nationwide — and they’re nearly impossible to stop https://www.allforgardening.com/1785056/snake-like-jumping-worms-are-tearing-through-gardens-nationwide-and-theyre-nearly-impossible-to-stop/ #FlowerGardens #garden #gardening #HarvestPublicMedia #Worm

Grafana Labs Compromise via Supply Chain Worm Campaign

A supply chain cyberattack linked to a malicious npm package campaign affected Grafana Labs by allowing attackers to access and copy parts of its internal source code and business related data. The attack spread through a compromised software dependency and enabled unauthorized access to private development systems.

Pulse ID: 6a10b60fe2e1c2e637bc6e3a
Pulse Link: https://otx.alienvault.com/pulse/6a10b60fe2e1c2e637bc6e3a
Pulse Author: cryptocti
Created: 2026-05-22 20:01:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberAttack #CyberSecurity #InfoSec #NPM #OTX #OpenThreatExchange #RAT #RCE #SupplyChain #Worm #bot #cryptocti

Grafana Labs Compromise via Supply Chain Worm Campaign

A supply chain cyberattack linked to a malicious npm package campaign affected Grafana Labs by allowing attackers to access and copy parts of its internal source code and business related data. The attack spread through a compromised software dependency and enabled unauthorized access to private development systems.

Pulse ID: 6a10b60fe2e1c2e637bc6e3a
Pulse Link: https://otx.alienvault.com/pulse/6a10b60fe2e1c2e637bc6e3a
Pulse Author: cryptocti
Created: 2026-05-22 20:01:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberAttack #CyberSecurity #InfoSec #NPM #OTX #OpenThreatExchange #RAT #RCE #SupplyChain #Worm #bot #cryptocti

Grafana Labs Compromise via Supply Chain Worm Campaign

A supply chain cyberattack linked to a malicious npm package campaign affected Grafana Labs by allowing attackers to access and copy parts of its internal source code and business related data. The attack spread through a compromised software dependency and enabled unauthorized access to private development systems.

Pulse ID: 6a10b60fe2e1c2e637bc6e3a
Pulse Link: https://otx.alienvault.com/pulse/6a10b60fe2e1c2e637bc6e3a
Pulse Author: cryptocti
Created: 2026-05-22 20:01:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberAttack #CyberSecurity #InfoSec #NPM #OTX #OpenThreatExchange #RAT #RCE #SupplyChain #Worm #bot #cryptocti

Grafana Labs Compromise via Supply Chain Worm Campaign

A supply chain cyberattack linked to a malicious npm package campaign affected Grafana Labs by allowing attackers to access and copy parts of its internal source code and business related data. The attack spread through a compromised software dependency and enabled unauthorized access to private development systems.

Pulse ID: 6a10b60fe2e1c2e637bc6e3a
Pulse Link: https://otx.alienvault.com/pulse/6a10b60fe2e1c2e637bc6e3a
Pulse Author: cryptocti
Created: 2026-05-22 20:01:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberAttack #CyberSecurity #InfoSec #NPM #OTX #OpenThreatExchange #RAT #RCE #SupplyChain #Worm #bot #cryptocti

Grafana Labs Compromise via Supply Chain Worm Campaign

A supply chain cyberattack linked to a malicious npm package campaign affected Grafana Labs by allowing attackers to access and copy parts of its internal source code and business related data. The attack spread through a compromised software dependency and enabled unauthorized access to private development systems.

Pulse ID: 6a10b60fe2e1c2e637bc6e3a
Pulse Link: https://otx.alienvault.com/pulse/6a10b60fe2e1c2e637bc6e3a
Pulse Author: cryptocti
Created: 2026-05-22 20:01:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberAttack #CyberSecurity #InfoSec #NPM #OTX #OpenThreatExchange #RAT #RCE #SupplyChain #Worm #bot #cryptocti

#ARTHUR #HENRY #AYLMER #MORTON aepiot.com?lang=en&q=AR... #BATTLE OF #TAGINAE allgraph.ro?lang=en&q=BA... ##THE #LAIR OF ##THE #WHITE #WORM aepiot.ro?lang=en&q=TH... #THE #VERY #BEST OF #LEVEL 42 allgraph.ro?lang=en&q=TH... aepiot.com

MultiSearch Tag Explorer

#ARTHUR #HENRY #AYLMER #MORTON aepiot.com?lang=en&q=AR... #BATTLE OF #TAGINAE allgraph.ro?lang=en&q=BA... ##THE #LAIR OF ##THE #WHITE #WORM aepiot.ro?lang=en&q=TH... #THE #VERY #BEST OF #LEVEL 42 allgraph.ro?lang=en&q=TH... aepiot.com

MultiSearch Tag Explorer

The Worm That Keeps on Digging: Latest Wave

A sophisticated supply chain campaign targeting the open source developer ecosystem has emerged, compromising NPM packages in the @antv namespace, GitHub Actions including actions-cool/issues-helper, and the VSCode extension nrwl.angular-console. The malware initiates multi-stage infection chains using GitHub-hosted infrastructure and orphaned commits to deploy payloads via bun. It harvests extensive credentials including GitHub tokens, SSH keys, cloud credentials, and browser secrets, exfiltrating data through attacker-controlled public GitHub repositories. The campaign establishes persistence through a Python backdoor that polls GitHub for signed commands containing specific trigger strings, enabling remote code execution. Infrastructure analysis and operational patterns indicate moderate confidence attribution to the threat actor TeamPCP.

Pulse ID: 6a0c5b666ccb232590e33087
Pulse Link: https://otx.alienvault.com/pulse/6a0c5b666ccb232590e33087
Pulse Author: AlienVault
Created: 2026-05-19 12:45:26

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #Cloud #CyberSecurity #GitHub #InfoSec #Malware #NPM #OTX #OpenThreatExchange #Python #RAT #RCE #RemoteCodeExecution #SSH #SupplyChain #Troll #Worm #bot #AlienVault

Inside a Tor Backed Supply Chain Worm

A sophisticated npm supply chain attack was uncovered involving the typosquatted package crypto-javascri, designed to mimic the legitimate crypto-js library. The malware harvests npm and GitHub credentials from infected systems, hijacks maintainer accounts, and automatically republishes trojanized versions of packages under trusted identities. The final payload incorporates a weaponized Arti Tor client with credential theft, cryptomining capabilities, privilege escalation via SUID exploitation, and systemd-based persistence mechanisms. The campaign specifically targets Linux developer systems and CI/CD environments, using Tor-based command-and-control infrastructure to maintain anonymity and resilience. The attack creates significant downstream supply chain risk through its worm-like propagation model.

Pulse ID: 6a0d970b3015e77563f4a9fa
Pulse Link: https://otx.alienvault.com/pulse/6a0d970b3015e77563f4a9fa
Pulse Author: AlienVault
Created: 2026-05-20 11:12:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CryptoMining #CyberSecurity #GitHub #InfoSec #Java #Linux #Malware #Mimic #NPM #OTX #OpenThreatExchange #RAT #Rust #SMS #SupplyChain #Trojan #Worm #bot #AlienVault

Cute insect button badges - we have butterflies to bee's and worms to snails https://www.koolbadges.co.uk/index.php?main_page=advanced_search_result&search_in_description=1&keyword=insect #insect #butterfly #bumblebee #badges #cute #worm #snail #wildlife #koolbadges

Cute insect button badges - we have butterflies to bee's and worms to snails https://www.koolbadges.co.uk/index.php?main_page=advanced_search_result&search_in_description=1&keyword=insect #insect #butterfly #bumblebee #badges #cute #worm #snail #wildlife #koolbadges

Cute insect button badges - we have butterflies to bee's and worms to snails https://www.koolbadges.co.uk/index.php?main_page=advanced_search_result&search_in_description=1&keyword=insect #insect #butterfly #bumblebee #badges #cute #worm #snail #wildlife #koolbadges

Cute insect button badges - we have butterflies to bee's and worms to snails https://www.koolbadges.co.uk/index.php?main_page=advanced_search_result&search_in_description=1&keyword=insect #insect #butterfly #bumblebee #badges #cute #worm #snail #wildlife #koolbadges

Cute insect button badges - we have butterflies to bee's and worms to snails https://www.koolbadges.co.uk/index.php?main_page=advanced_search_result&search_in_description=1&keyword=insect #insect #butterfly #bumblebee #badges #cute #worm #snail #wildlife #koolbadges

Copycat hits another npm package

A Shai-Hulud copycat worm has infected the npm package chalk-tempalte, appearing just five days after the original worm was open-sourced by its creators. The same threat actor also published three additional malicious npm packages containing infostealer code: @deadcode09284814/axios-util, axois-utils, and color-style-utils. These packages collectively received 2,678 weekly downloads and contain various malicious capabilities including credential theft, cryptocurrency wallet exfiltration, cloud configuration harvesting, and DDoS botnet functionality. The malware exfiltrates stolen data to remote command-and-control servers and uploads credentials to GitHub repositories. Researchers indicate the attacker operates from a home computer or local server farm and appears financially motivated, targeting victims' cryptocurrency assets while potentially offering DDoS-as-a-service capabilities.

Pulse ID: 6a0b921d3574a6ef2eca8d47
Pulse Link: https://otx.alienvault.com/pulse/6a0b921d3574a6ef2eca8d47
Pulse Author: AlienVault
Created: 2026-05-18 22:26:37

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #DDoS #DoS #GitHub #InfoSec #InfoStealer #Malware #NPM #OTX #OpenThreatExchange #RAT #RCE #Worm #bot #botnet #cryptocurrency #iOS #AlienVault

Copycat hits another npm package

A Shai-Hulud copycat worm has infected the npm package chalk-tempalte, appearing just five days after the original worm was open-sourced by its creators. The same threat actor also published three additional malicious npm packages containing infostealer code: @deadcode09284814/axios-util, axois-utils, and color-style-utils. These packages collectively received 2,678 weekly downloads and contain various malicious capabilities including credential theft, cryptocurrency wallet exfiltration, cloud configuration harvesting, and DDoS botnet functionality. The malware exfiltrates stolen data to remote command-and-control servers and uploads credentials to GitHub repositories. Researchers indicate the attacker operates from a home computer or local server farm and appears financially motivated, targeting victims' cryptocurrency assets while potentially offering DDoS-as-a-service capabilities.

Pulse ID: 6a0b921d3574a6ef2eca8d47
Pulse Link: https://otx.alienvault.com/pulse/6a0b921d3574a6ef2eca8d47
Pulse Author: AlienVault
Created: 2026-05-18 22:26:37

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #DDoS #DoS #GitHub #InfoSec #InfoStealer #Malware #NPM #OTX #OpenThreatExchange #RAT #RCE #Worm #bot #botnet #cryptocurrency #iOS #AlienVault

Copycat hits another npm package

A Shai-Hulud copycat worm has infected the npm package chalk-tempalte, appearing just five days after the original worm was open-sourced by its creators. The same threat actor also published three additional malicious npm packages containing infostealer code: @deadcode09284814/axios-util, axois-utils, and color-style-utils. These packages collectively received 2,678 weekly downloads and contain various malicious capabilities including credential theft, cryptocurrency wallet exfiltration, cloud configuration harvesting, and DDoS botnet functionality. The malware exfiltrates stolen data to remote command-and-control servers and uploads credentials to GitHub repositories. Researchers indicate the attacker operates from a home computer or local server farm and appears financially motivated, targeting victims' cryptocurrency assets while potentially offering DDoS-as-a-service capabilities.

Pulse ID: 6a0b921d3574a6ef2eca8d47
Pulse Link: https://otx.alienvault.com/pulse/6a0b921d3574a6ef2eca8d47
Pulse Author: AlienVault
Created: 2026-05-18 22:26:37

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #DDoS #DoS #GitHub #InfoSec #InfoStealer #Malware #NPM #OTX #OpenThreatExchange #RAT #RCE #Worm #bot #botnet #cryptocurrency #iOS #AlienVault

Copycat hits another npm package

A Shai-Hulud copycat worm has infected the npm package chalk-tempalte, appearing just five days after the original worm was open-sourced by its creators. The same threat actor also published three additional malicious npm packages containing infostealer code: @deadcode09284814/axios-util, axois-utils, and color-style-utils. These packages collectively received 2,678 weekly downloads and contain various malicious capabilities including credential theft, cryptocurrency wallet exfiltration, cloud configuration harvesting, and DDoS botnet functionality. The malware exfiltrates stolen data to remote command-and-control servers and uploads credentials to GitHub repositories. Researchers indicate the attacker operates from a home computer or local server farm and appears financially motivated, targeting victims' cryptocurrency assets while potentially offering DDoS-as-a-service capabilities.

Pulse ID: 6a0b921d3574a6ef2eca8d47
Pulse Link: https://otx.alienvault.com/pulse/6a0b921d3574a6ef2eca8d47
Pulse Author: AlienVault
Created: 2026-05-18 22:26:37

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #DDoS #DoS #GitHub #InfoSec #InfoStealer #Malware #NPM #OTX #OpenThreatExchange #RAT #RCE #Worm #bot #botnet #cryptocurrency #iOS #AlienVault

Copycat hits another npm package

A Shai-Hulud copycat worm has infected the npm package chalk-tempalte, appearing just five days after the original worm was open-sourced by its creators. The same threat actor also published three additional malicious npm packages containing infostealer code: @deadcode09284814/axios-util, axois-utils, and color-style-utils. These packages collectively received 2,678 weekly downloads and contain various malicious capabilities including credential theft, cryptocurrency wallet exfiltration, cloud configuration harvesting, and DDoS botnet functionality. The malware exfiltrates stolen data to remote command-and-control servers and uploads credentials to GitHub repositories. Researchers indicate the attacker operates from a home computer or local server farm and appears financially motivated, targeting victims' cryptocurrency assets while potentially offering DDoS-as-a-service capabilities.

Pulse ID: 6a0b921d3574a6ef2eca8d47
Pulse Link: https://otx.alienvault.com/pulse/6a0b921d3574a6ef2eca8d47
Pulse Author: AlienVault
Created: 2026-05-18 22:26:37

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #DDoS #DoS #GitHub #InfoSec #InfoStealer #Malware #NPM #OTX #OpenThreatExchange #RAT #RCE #Worm #bot #botnet #cryptocurrency #iOS #AlienVault

Active Supply Chain Attack Compromises Packages on npm

An active npm supply chain attack has compromised packages in the @antv ecosystem, affecting the maintainer account 'atool'. The attack is part of the Mini Shai-Hulud campaign, involving 639 compromised package versions across 323 unique packages. Notable affected packages include echarts-for-react with 1.1 million weekly downloads, and widely-used @antv packages for data visualization. The malware uses obfuscated install-time payloads that harvest developer credentials, GitHub tokens, npm tokens, AWS credentials, and other secrets from development and CI/CD environments. Stolen data is encrypted with AES-256-GCM and exfiltrated to a command-and-control server, with GitHub repositories used as fallback channels. The malware contains worm-like functionality to republish compromised packages and propagate through the npm ecosystem.

Pulse ID: 6a0c1b289f4fe8b7bdf00a84
Pulse Link: https://otx.alienvault.com/pulse/6a0c1b289f4fe8b7bdf00a84
Pulse Author: AlienVault
Created: 2026-05-19 08:11:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #CyberSecurity #GitHub #InfoSec #Malware #NPM #OTX #OpenThreatExchange #RAT #SupplyChain #Worm #bot #AlienVault

Active Supply Chain Attack Compromises Packages on npm

An active npm supply chain attack has compromised packages in the @antv ecosystem, affecting the maintainer account 'atool'. The attack is part of the Mini Shai-Hulud campaign, involving 639 compromised package versions across 323 unique packages. Notable affected packages include echarts-for-react with 1.1 million weekly downloads, and widely-used @antv packages for data visualization. The malware uses obfuscated install-time payloads that harvest developer credentials, GitHub tokens, npm tokens, AWS credentials, and other secrets from development and CI/CD environments. Stolen data is encrypted with AES-256-GCM and exfiltrated to a command-and-control server, with GitHub repositories used as fallback channels. The malware contains worm-like functionality to republish compromised packages and propagate through the npm ecosystem.

Pulse ID: 6a0c1b289f4fe8b7bdf00a84
Pulse Link: https://otx.alienvault.com/pulse/6a0c1b289f4fe8b7bdf00a84
Pulse Author: AlienVault
Created: 2026-05-19 08:11:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #CyberSecurity #GitHub #InfoSec #Malware #NPM #OTX #OpenThreatExchange #RAT #SupplyChain #Worm #bot #AlienVault

Active Supply Chain Attack Compromises Packages on npm

An active npm supply chain attack has compromised packages in the @antv ecosystem, affecting the maintainer account 'atool'. The attack is part of the Mini Shai-Hulud campaign, involving 639 compromised package versions across 323 unique packages. Notable affected packages include echarts-for-react with 1.1 million weekly downloads, and widely-used @antv packages for data visualization. The malware uses obfuscated install-time payloads that harvest developer credentials, GitHub tokens, npm tokens, AWS credentials, and other secrets from development and CI/CD environments. Stolen data is encrypted with AES-256-GCM and exfiltrated to a command-and-control server, with GitHub repositories used as fallback channels. The malware contains worm-like functionality to republish compromised packages and propagate through the npm ecosystem.

Pulse ID: 6a0c1b289f4fe8b7bdf00a84
Pulse Link: https://otx.alienvault.com/pulse/6a0c1b289f4fe8b7bdf00a84
Pulse Author: AlienVault
Created: 2026-05-19 08:11:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #CyberSecurity #GitHub #InfoSec #Malware #NPM #OTX #OpenThreatExchange #RAT #SupplyChain #Worm #bot #AlienVault

Active Supply Chain Attack Compromises Packages on npm

An active npm supply chain attack has compromised packages in the @antv ecosystem, affecting the maintainer account 'atool'. The attack is part of the Mini Shai-Hulud campaign, involving 639 compromised package versions across 323 unique packages. Notable affected packages include echarts-for-react with 1.1 million weekly downloads, and widely-used @antv packages for data visualization. The malware uses obfuscated install-time payloads that harvest developer credentials, GitHub tokens, npm tokens, AWS credentials, and other secrets from development and CI/CD environments. Stolen data is encrypted with AES-256-GCM and exfiltrated to a command-and-control server, with GitHub repositories used as fallback channels. The malware contains worm-like functionality to republish compromised packages and propagate through the npm ecosystem.

Pulse ID: 6a0c1b289f4fe8b7bdf00a84
Pulse Link: https://otx.alienvault.com/pulse/6a0c1b289f4fe8b7bdf00a84
Pulse Author: AlienVault
Created: 2026-05-19 08:11:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #CyberSecurity #GitHub #InfoSec #Malware #NPM #OTX #OpenThreatExchange #RAT #SupplyChain #Worm #bot #AlienVault

Active Supply Chain Attack Compromises Packages on npm

An active npm supply chain attack has compromised packages in the @antv ecosystem, affecting the maintainer account 'atool'. The attack is part of the Mini Shai-Hulud campaign, involving 639 compromised package versions across 323 unique packages. Notable affected packages include echarts-for-react with 1.1 million weekly downloads, and widely-used @antv packages for data visualization. The malware uses obfuscated install-time payloads that harvest developer credentials, GitHub tokens, npm tokens, AWS credentials, and other secrets from development and CI/CD environments. Stolen data is encrypted with AES-256-GCM and exfiltrated to a command-and-control server, with GitHub repositories used as fallback channels. The malware contains worm-like functionality to republish compromised packages and propagate through the npm ecosystem.

Pulse ID: 6a0c1b289f4fe8b7bdf00a84
Pulse Link: https://otx.alienvault.com/pulse/6a0c1b289f4fe8b7bdf00a84
Pulse Author: AlienVault
Created: 2026-05-19 08:11:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #CyberSecurity #GitHub #InfoSec #Malware #NPM #OTX #OpenThreatExchange #RAT #SupplyChain #Worm #bot #AlienVault

Seedworm Launches Global Espionage Campaign Abusing Signed Binaries and Node.js Orchestration

Pulse ID: 6a0954ff8b83b84d3ddeba4f
Pulse Link: https://otx.alienvault.com/pulse/6a0954ff8b83b84d3ddeba4f
Pulse Author: cryptocti
Created: 2026-05-17 05:41:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Espionage #InfoSec #Nodejs #OTX #OpenThreatExchange #RAT #SeedWorm #Worm #bot #cryptocti

🔥 TRENDING

📢 Mini Shai-Hulud: The Worm Returns and Goes Public

🔗 https://www.akamai.com/blog/security-research/2026/may/mini-shai-hulud-worm-returns-goes-public

#Mini #Shai-hulud #Worm #Returns #GlobalFeed #News #EN

<i>Automatically posted by Global Feed Bot</i>

Just a cute little bud. #worm #nature #tallgrass #wildlife

Just a cute little bud. #worm #nature #tallgrass #wildlife

Just a cute little bud. #worm #nature #tallgrass #wildlife

Just a cute little bud. #worm #nature #tallgrass #wildlife

Just a cute little bud. #worm #nature #tallgrass #wildlife

Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The attackers utilized DLL sideloading techniques with legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads, deployed Node.js-based implants for orchestration, and employed multiple PowerShell scripts for reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through public file-transfer service sendit.sh to blend malicious traffic with legitimate cloud services. The campaign demonstrates Seedworm's evolved tradecraft and expanded targeting beyond traditional Middle Eastern focus areas.

Pulse ID: 6a033220a0063c7c2a4f1d8f
Pulse Link: https://otx.alienvault.com/pulse/6a033220a0063c7c2a4f1d8f
Pulse Author: AlienVault
Created: 2026-05-12 13:58:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Cloud #CyberSecurity #Education #Espionage #Government #ICS #InfoSec #Iran #Korea #LatinAmerica #MiddleEast #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #SeedWorm #SentinelOne #SideLoading #SouthKorea #Worm #bot #AlienVault

Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The attackers utilized DLL sideloading techniques with legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads, deployed Node.js-based implants for orchestration, and employed multiple PowerShell scripts for reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through public file-transfer service sendit.sh to blend malicious traffic with legitimate cloud services. The campaign demonstrates Seedworm's evolved tradecraft and expanded targeting beyond traditional Middle Eastern focus areas.

Pulse ID: 6a033220a0063c7c2a4f1d8f
Pulse Link: https://otx.alienvault.com/pulse/6a033220a0063c7c2a4f1d8f
Pulse Author: AlienVault
Created: 2026-05-12 13:58:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Cloud #CyberSecurity #Education #Espionage #Government #ICS #InfoSec #Iran #Korea #LatinAmerica #MiddleEast #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #SeedWorm #SentinelOne #SideLoading #SouthKorea #Worm #bot #AlienVault

Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The attackers utilized DLL sideloading techniques with legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads, deployed Node.js-based implants for orchestration, and employed multiple PowerShell scripts for reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through public file-transfer service sendit.sh to blend malicious traffic with legitimate cloud services. The campaign demonstrates Seedworm's evolved tradecraft and expanded targeting beyond traditional Middle Eastern focus areas.

Pulse ID: 6a033220a0063c7c2a4f1d8f
Pulse Link: https://otx.alienvault.com/pulse/6a033220a0063c7c2a4f1d8f
Pulse Author: AlienVault
Created: 2026-05-12 13:58:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Cloud #CyberSecurity #Education #Espionage #Government #ICS #InfoSec #Iran #Korea #LatinAmerica #MiddleEast #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #SeedWorm #SentinelOne #SideLoading #SouthKorea #Worm #bot #AlienVault

Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The attackers utilized DLL sideloading techniques with legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads, deployed Node.js-based implants for orchestration, and employed multiple PowerShell scripts for reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through public file-transfer service sendit.sh to blend malicious traffic with legitimate cloud services. The campaign demonstrates Seedworm's evolved tradecraft and expanded targeting beyond traditional Middle Eastern focus areas.

Pulse ID: 6a033220a0063c7c2a4f1d8f
Pulse Link: https://otx.alienvault.com/pulse/6a033220a0063c7c2a4f1d8f
Pulse Author: AlienVault
Created: 2026-05-12 13:58:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Cloud #CyberSecurity #Education #Espionage #Government #ICS #InfoSec #Iran #Korea #LatinAmerica #MiddleEast #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #SeedWorm #SentinelOne #SideLoading #SouthKorea #Worm #bot #AlienVault

Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The attackers utilized DLL sideloading techniques with legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads, deployed Node.js-based implants for orchestration, and employed multiple PowerShell scripts for reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through public file-transfer service sendit.sh to blend malicious traffic with legitimate cloud services. The campaign demonstrates Seedworm's evolved tradecraft and expanded targeting beyond traditional Middle Eastern focus areas.

Pulse ID: 6a033220a0063c7c2a4f1d8f
Pulse Link: https://otx.alienvault.com/pulse/6a033220a0063c7c2a4f1d8f
Pulse Author: AlienVault
Created: 2026-05-12 13:58:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Cloud #CyberSecurity #Education #Espionage #Government #ICS #InfoSec #Iran #Korea #LatinAmerica #MiddleEast #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #SeedWorm #SentinelOne #SideLoading #SouthKorea #Worm #bot #AlienVault

PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale | SentinelOne

SentinelLABS has identified PCPJack, a toolset dedicated to stealing data from exposed cloud services and propagating the malware on other systems, as part of an ongoing cyber-attack campaign.

Pulse ID: 6a01c1b69e22786783aec606
Pulse Link: https://otx.alienvault.com/pulse/6a01c1b69e22786783aec606
Pulse Author: CyberHunter_NL
Created: 2026-05-11 11:47:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #SentinelLabs #SentinelOne #Worm #bot #CyberHunter_NL

PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale | SentinelOne

SentinelLABS has identified PCPJack, a toolset dedicated to stealing data from exposed cloud services and propagating the malware on other systems, as part of an ongoing cyber-attack campaign.

Pulse ID: 6a01c1b69e22786783aec606
Pulse Link: https://otx.alienvault.com/pulse/6a01c1b69e22786783aec606
Pulse Author: CyberHunter_NL
Created: 2026-05-11 11:47:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #SentinelLabs #SentinelOne #Worm #bot #CyberHunter_NL

PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale | SentinelOne

SentinelLABS has identified PCPJack, a toolset dedicated to stealing data from exposed cloud services and propagating the malware on other systems, as part of an ongoing cyber-attack campaign.

Pulse ID: 6a01c1b69e22786783aec606
Pulse Link: https://otx.alienvault.com/pulse/6a01c1b69e22786783aec606
Pulse Author: CyberHunter_NL
Created: 2026-05-11 11:47:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #SentinelLabs #SentinelOne #Worm #bot #CyberHunter_NL

PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale | SentinelOne

SentinelLABS has identified PCPJack, a toolset dedicated to stealing data from exposed cloud services and propagating the malware on other systems, as part of an ongoing cyber-attack campaign.

Pulse ID: 6a01c1b69e22786783aec606
Pulse Link: https://otx.alienvault.com/pulse/6a01c1b69e22786783aec606
Pulse Author: CyberHunter_NL
Created: 2026-05-11 11:47:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #SentinelLabs #SentinelOne #Worm #bot #CyberHunter_NL

PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale | SentinelOne

SentinelLABS has identified PCPJack, a toolset dedicated to stealing data from exposed cloud services and propagating the malware on other systems, as part of an ongoing cyber-attack campaign.

Pulse ID: 6a01c1b69e22786783aec606
Pulse Link: https://otx.alienvault.com/pulse/6a01c1b69e22786783aec606
Pulse Author: CyberHunter_NL
Created: 2026-05-11 11:47:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #SentinelLabs #SentinelOne #Worm #bot #CyberHunter_NL

PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale

Pulse ID: 6a01602e7960dd5e5c40421e
Pulse Link: https://otx.alienvault.com/pulse/6a01602e7960dd5e5c40421e
Pulse Author: Tr1sa111
Created: 2026-05-11 04:50:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Worm #bot #Tr1sa111

PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale

Pulse ID: 6a01602e7960dd5e5c40421e
Pulse Link: https://otx.alienvault.com/pulse/6a01602e7960dd5e5c40421e
Pulse Author: Tr1sa111
Created: 2026-05-11 04:50:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Worm #bot #Tr1sa111

PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale

Pulse ID: 6a01602e7960dd5e5c40421e
Pulse Link: https://otx.alienvault.com/pulse/6a01602e7960dd5e5c40421e
Pulse Author: Tr1sa111
Created: 2026-05-11 04:50:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Worm #bot #Tr1sa111

PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale

Pulse ID: 6a01602e7960dd5e5c40421e
Pulse Link: https://otx.alienvault.com/pulse/6a01602e7960dd5e5c40421e
Pulse Author: Tr1sa111
Created: 2026-05-11 04:50:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Worm #bot #Tr1sa111

PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale

Pulse ID: 6a01602e7960dd5e5c40421e
Pulse Link: https://otx.alienvault.com/pulse/6a01602e7960dd5e5c40421e
Pulse Author: Tr1sa111
Created: 2026-05-11 04:50:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Worm #bot #Tr1sa111

Researchers have spotted a modular cloud worm that will clear you of any infections by the dangerous supply chain attacker "TeamPCP," free of charge. The catch: It wants your secrets.

#malware #worm #teampcp #stealet

https://www.sentinelone.com/labs/cloud-worm-evicts-teampcp-and-steals-credentials-at-scale/

Malware Worm Eliminates Rival, Seizes Control

Meet the malware worm with a ruthless streak - it not only eliminates rival malware from infected systems, but also seizes control and claims the compromised credentials for itself. This cunning worm is taking over, leaving other malicious operators with nothing.

https://osintsights.com/malware-worm-eliminates-rival-seizes-control?utm_source=mastodon&utm_medium=social

#MalwareOperations #RivalMalwareElimination #CredentialHarvesting #Worm #EmergingThreats