Find notable cyber news and cases, enriched with sources, timelines, and signals.

Plain-crypto-js remote-access Trojan delivery

Malware Activity
First reported
Last updated
Happening score
H score 30
2 unique sources, 2 articles

Summary

Hide ▲

The malicious plain-crypto-js dependency delivered a remote-access Trojan (RAT) that can run on Windows, Linux, and Mac, extending the open-source supply-chain compromise into a cross-platform malware delivery event.

Related Happenings

Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks

Malware Activity
H score30 First: 29.06.2026 08:36 Last: 29.06.2026 08:36 Sources 1

About this happening: Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...

Atomic-lockfile rootkit-infostealer distribution through AUR packages

Malware Activity
H score3 First: 12.06.2026 20:03 Last: 12.06.2026 20:03 Sources 1

About this happening: **AUR packages** are distributing the **atomic-lockfile** **Linux rootkit and infostealer** through compromised build scripts, with **more than 400 packages** reported and the **o...

AUDIOFIX and MiniRAT macOS malware activity

Malware Activity
H score34 First: 28.05.2026 10:54 Last: 28.05.2026 10:54 Sources 1

About this happening: The **AUDIOFIX** and **MiniRAT** malware activity is targeting **cryptocurrency firms** and **developer infrastructure** on **macOS** with **LinkedIn recruiter** lures, a fake mee...

Malware-Slop malicious npm file-theft campaign

Campaign
H score39 First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: **Malware-Slop** is distributing **mouse5212-super-formatter**, a malicious **npm** package that steals local files from **Anthropic's Claude** workspace directory **/mnt/user-dat...

TrapDoor trap-core.js credential-stealing package malware

Malware Activity
H score34 First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...

Timeline

  1. 04.04.2026 23:30 1 articles · 3mo ago

    Google links Axios npm compromise to UNC1069

    Attribution Update

    Google Threat Intelligence Group linked the Axios npm compromise to UNC1069, a financially motivated North Korea-nexus threat actor, based on the use of WAVESHAPER.V2 and overlaps with infrastructure artifacts used by UNC1069 in past activity. The Axios maintainers also wiped affected systems, reset all credentials, and are implementing changes to prevent similar incidents.

    Show sources
  2. 31.03.2026 23:55 1 articles · 3mo ago

    Malicious Axios releases deliver plain-crypto-js RAT

    Initial Disclosure

    StepSecurity identified two malicious Axios releases, [email protected] and [email protected], after the maintainer account "jasonsaayman" was compromised. The releases added plain-crypto-js, a dependency that impersonated crypto-js and executed a script to install a remote-access Trojan capable of functioning across Windows, Linux, and Mac; the payload also self-deleted and replaced package.json to hinder forensic analysis, and the malicious releases were active only for a few hours before NPM removed the campaign.

    Show sources