Find notable cyber news and cases, enriched with sources, timelines, and signals.

Npm registry spear-phishing campaign targeting sales personnel

Campaign
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

Unknown threat actors ran a five-month spear-phishing campaign that abused 27 npm packages as browser-hosting infrastructure, turning a software registry into a resilient credential-theft delivery channel. The operation targeted 25 organizations and sales and commercial personnel across multiple sectors in the U.S. and Allied nations, making the login-harvesting effort broader and more durable than a one-off phishing page.

Related Happenings

North Korea-aligned developer-targeting operations shift from fake interviews to recruitment phishing at scale

Threat Actor Meta
H score31 First: 15.06.2026 22:32 Last: 15.06.2026 22:32 Sources 1

About this happening: North Korea-aligned developer-targeting operations are shifting from **fake interviews** to **recruitment-themed phishing** at scale, increasing the risk of industrialized **crede...

Contagious Interview UNK_DeadDrop GitHub phishing campaign

Campaign
H score37 First: 15.06.2026 22:32 Last: 15.06.2026 22:32 Sources 1

About this happening: The **Contagious Interview** cluster is running the **UNK_DeadDrop** phishing campaign to lure developers with **recruitment** and **code review** themes, reaching **nearly 100 or...

Red Hat npm Namespace Hijacked in Supply Chain hit by cyberattack

Incident
H score13 First: 01.06.2026 20:40 Last: 01.06.2026 20:40 Sources 1

About this happening: **Red Hat's** official npm namespace was hijacked in a **supply chain attack** that republished **32 packages** in the **@redhat-cloud-services** scope on **June 1**; the maliciou...

VENOM closed-access PhaaS operating model limits researcher visibility

Threat Actor Meta
H score18 First: 10.04.2026 00:37 Last: 10.04.2026 00:37 Sources 1

About this happening: **VENOM** is operating as a **closed-access phishing-as-a-service** platform, reducing researcher visibility while supporting **underground credential theft**. The service targets...

Anthropic launches Project Glasswing with Claude Mythos for vulnerability discovery

Security Tool/Service
H score58 First: 08.04.2026 12:16 Last: 08.04.2026 12:16 Sources 1

About this happening: **Anthropic’s Project Glasswing** is now showing measurable results: since launching last month, the **Claude Mythos Preview**-based initiative has uncovered **more than 10,000**...

Latest development: 03.06.2026 14:00

President Donald Trump signed a June 2 executive order that sets up a voluntary framework for developers of covered frontier models to give the US government access for cybersecurity review for up to 30 days before release, while expressly rejecting any mandatory licensing or preclearance requirement. The order directs NSA, CISA, and NIST to build a classified benchmark for determining which models cross the covered threshold and creates an AI cybersecurity clearinghouse led by the Treasury Department. The framework closely echoes Anthropic's Project Glasswing, which gives vetted partners early access to Claude Mythos Preview to scan critical software for vulnerabilities.

Timeline

  1. 29.12.2025 11:44 2 articles · 6mo ago

    npm package phishing campaign disclosure

    Initial Disclosure

    Unknown threat actors ran a five-month npm phishing campaign that uploaded 27 packages from six aliases and used npm/package CDN-hosted HTML and JavaScript lures to impersonate document-sharing portals and Microsoft sign-in, targeting 25 organizations and sales and commercial personnel across manufacturing, industrial automation, plastics, and healthcare in the U.S. and Allied nations for credential theft; the packages also used bot filtering, sandbox evasion, mouse-or-touch checks, honeypot fields, and overlap with Evilginx-associated adversary-in-the-middle infrastructure.

    Show sources