Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Plain-crypto-js remote-access Trojan delivery

Malware Activity
First reported
Last updated
Happening score
H score 22
2 unique sources, 2 articles

Summary

Hide ▲

The malicious plain-crypto-js dependency delivered a remote-access Trojan (RAT) that can run on Windows, Linux, and Mac, extending the open-source supply-chain compromise into a cross-platform malware delivery event.

Related Happenings

Malware-Slop malicious npm file-theft campaign

Campaign
First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...

Open Happening

TrapDoor trap-core.js credential-stealing package malware

Malware Activity
First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...

Open Happening

Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers

Malware Activity
First: 18.05.2026 11:57 Last: 18.05.2026 11:57 Sources 1

About this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...

Open Happening

Mini Shai-Hulud npm supply-chain malware wave

Malware Activity
First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...

Open Happening

Rogue Checkmarx Jenkins AST plugin release on Jenkins Marketplace

Security Tool/Service
First: 12.05.2026 01:03 Last: 12.05.2026 01:03 Sources 1

About this happening: A **rogue 2026.5.09 release** of the **Checkmarx Jenkins AST plugin** was uploaded to **repo.jenkins-ci.org**, undermining trust in a security-scanning component used in **Jenkins...

Open Happening

Timeline

  1. 04.04.2026 23:30 1 articles · 1mo ago

    Google links Axios npm compromise to UNC1069

    Attribution Update

    Google Threat Intelligence Group linked the Axios npm compromise to UNC1069, a financially motivated North Korea-nexus threat actor, based on the use of WAVESHAPER.V2 and overlaps with infrastructure artifacts used by UNC1069 in past activity. The Axios maintainers also wiped affected systems, reset all credentials, and are implementing changes to prevent similar incidents.

    Show sources
    Open in new tab
  2. 31.03.2026 23:55 1 articles · 1mo ago

    Malicious Axios releases deliver plain-crypto-js RAT

    Initial Disclosure

    StepSecurity identified two malicious Axios releases, [email protected] and [email protected], after the maintainer account "jasonsaayman" was compromised. The releases added plain-crypto-js, a dependency that impersonated crypto-js and executed a script to install a remote-access Trojan capable of functioning across Windows, Linux, and Mac; the payload also self-deleted and replaced package.json to hinder forensic analysis, and the malicious releases were active only for a few hours before NPM removed the campaign.

    Show sources
    Open in new tab