Shifty Corsair evolves open-source supply-chain tradecraft with fake firms, layered packages, and AI-assisted deception
Threat Actor Meta
Summary
Hide ▲
Show ▼
Shifty Corsair has expanded its operating model into a more convincing developer-lure ecosystem, increasing the risk of open-source supply-chain compromise against Web3 targets. The group now combines fake companies, fake job interviews, layered package delivery, and AI-generated code to make malicious projects look legitimate. Its reach spans npm, PyPI, and GitHub-hosted artifacts, showing a broader and more adaptive delivery network. That shift matters because it improves deception, evasion, and scale across multiple package ecosystems.
Related Happenings
OpenAI and Trail of Bits launch Patch the Planet open-source security program
Commercial Activity
H score1
First: 23.06.2026 06:56
Last: 23.06.2026 06:56
Sources 1
About this happening:
OpenAI launched **Patch the Planet** with **Trail of Bits** to help secure **open-source projects**, expanding a cybersecurity-focused partnership program for maintainers and defe...
OpenAI and Trail of Bits launch Patch the Planet open-source security program
Commercial ActivityAbout this happening: OpenAI launched **Patch the Planet** with **Trail of Bits** to help secure **open-source projects**, expanding a cybersecurity-focused partnership program for maintainers and defe...
North Korea-aligned developer-targeting operations shift from fake interviews to recruitment phishing at scale
Threat Actor Meta
H score31
First: 15.06.2026 22:32
Last: 15.06.2026 22:32
Sources 1
About this happening:
North Korea-aligned developer-targeting operations are shifting from **fake interviews** to **recruitment-themed phishing** at scale, increasing the risk of industrialized **crede...
North Korea-aligned developer-targeting operations shift from fake interviews to recruitment phishing at scale
Threat Actor MetaAbout this happening: North Korea-aligned developer-targeting operations are shifting from **fake interviews** to **recruitment-themed phishing** at scale, increasing the risk of industrialized **crede...
Contagious Interview UNK_DeadDrop GitHub phishing campaign
Campaign
H score37
First: 15.06.2026 22:32
Last: 15.06.2026 22:32
Sources 1
About this happening:
The **Contagious Interview** cluster is running the **UNK_DeadDrop** phishing campaign to lure developers with **recruitment** and **code review** themes, reaching **nearly 100 or...
Contagious Interview UNK_DeadDrop GitHub phishing campaign
CampaignAbout this happening: The **Contagious Interview** cluster is running the **UNK_DeadDrop** phishing campaign to lure developers with **recruitment** and **code review** themes, reaching **nearly 100 or...
Miasma software supply chain campaign expands to new PyPI wave
Campaign
H score29
First: 09.06.2026 19:34
Last: 09.06.2026 19:34
Sources 1
About this happening:
The **Miasma** supply-chain campaign has expanded into a new **PyPI** wave, increasing the risk that developers and downstream users will ingest **information-stealing malware** t...
Miasma software supply chain campaign expands to new PyPI wave
CampaignAbout this happening: The **Miasma** supply-chain campaign has expanded into a new **PyPI** wave, increasing the risk that developers and downstream users will ingest **information-stealing malware** t...
Miasma self-replicating supply chain attack campaign targeting open-source repositories
Campaign
H score83
First: 06.06.2026 09:58
Last: 06.06.2026 09:58
Sources 1
About this happening:
The **Miasma** self-replicating supply-chain campaign has reached **73 Microsoft repositories** across **Azure**, **Azure-Samples**, **Microsoft**, and **MicrosoftDocs** on **GitH...
Miasma self-replicating supply chain attack campaign targeting open-source repositories
CampaignAbout this happening: The **Miasma** self-replicating supply-chain campaign has reached **73 Microsoft repositories** across **Azure**, **Azure-Samples**, **Microsoft**, and **MicrosoftDocs** on **GitH...
Timeline
-
29.04.2026 17:43 2 articles · 2mo ago
PromptMink and related supply-chain tradecraft are publicly disclosed
Initial DisclosureA North Korean supply-chain malware campaign linked to Famous Chollima, also known as Shifty Corsair, combines AI-assisted package creation, layered npm dependencies, and typosquatting to hide malicious code in packages such as @validate-sdk/v2 and @hash-validator/v2, steal crypto wallet credentials and funds, and extend delivery into PyPI and GitHub-hosted artifacts for Web3 developer targets.
Show sources
- New Wave of DPRK Attacks Uses AI-Inserted npm Malware, Fake Firms, and RATs — thehackernews.com — 29.04.2026 17:43
- New Wave of DPRK Attacks Uses AI-Inserted npm Malware, Fake Firms, and RATs — thehackernews.com — 29.04.2026 17:43