SMS Blaster Phishing Takedown and Supply Chain Attacks Highlight Rising Abuse of Legitimate Tools

Timeline

1. 30.04.2026 16:55 1 articles · 3h ago

   Law enforcement dismantles SMS blaster phishing ring; supply chain attacks escalate with npm and PyPI compromises

   A coordinated arrest of three individuals in Canada targeted an SMS blaster device that impersonated cellular towers to deliver phishing messages to tens of thousands of devices. In parallel, two separate software supply chain compromises were disclosed: an npm package impersonating TanStack exfiltrating developer environment variables during installation, and a compromised PyPI package (elementary-data) leveraging a GitHub Actions script-injection vulnerability to deploy a credential stealer. Concurrently, threat actors deployed the Komari agent as a SYSTEM-level backdoor following VPN credential compromise, and introduced next-generation phishing kits integrating advanced post-compromise capabilities and telemetry for targeted campaigns.

   Show sources

   • ThreatsDay Bulletin: SMS Blaster Busts, OpenEMR Flaws, 600K Roblox Hacks and 25 More Stories — thehackernews.com — 30.04.2026 16:55

   Open in new tab

Information Snippets

• Three individuals were arrested in Canada for operating an SMS blaster device that mimicked legitimate cellular towers, sending phishing SMS messages to tens of thousands of devices over several months.

  First reported: 30.04.2026 16:55
  1 source, 1 article
  Show sources

  • ThreatsDay Bulletin: SMS Blaster Busts, OpenEMR Flaws, 600K Roblox Hacks and 25 More Stories — thehackernews.com — 30.04.2026 16:55

• A malicious npm package named "tanstack" (versions 2.0.4–2.0.7) was observed exfiltrating environment variables including .env files during installation to an attacker-controlled endpoint.

  First reported: 30.04.2026 16:55
  1 source, 1 article
  Show sources

  • ThreatsDay Bulletin: SMS Blaster Busts, OpenEMR Flaws, 600K Roblox Hacks and 25 More Stories — thehackernews.com — 30.04.2026 16:55

• An attacker compromised the PyPI package "elementary-data" version 0.23.3 by exploiting a script-injection vulnerability in its GitHub Actions workflow, embedding a malicious .pth file to steal developer credentials and cryptocurrency wallet data.

  First reported: 30.04.2026 16:55
  1 source, 1 article
  Show sources

  • ThreatsDay Bulletin: SMS Blaster Busts, OpenEMR Flaws, 600K Roblox Hacks and 25 More Stories — thehackernews.com — 30.04.2026 16:55

• Threat actors used stolen VPN credentials and the Impacket smbexec.py tool to pivot into a Windows workstation, then deployed the Komari agent—a Go-based remote-control tool—as a SYSTEM-level backdoor, marking its first documented abuse in a real-world intrusion.

  First reported: 30.04.2026 16:55
  1 source, 1 article
  Show sources

  • ThreatsDay Bulletin: SMS Blaster Busts, OpenEMR Flaws, 600K Roblox Hacks and 25 More Stories — thehackernews.com — 30.04.2026 16:55

• Two new phishing kits, Saiga 2FA and Phoenix System, integrate post-compromise capabilities and telemetry for precision targeting, with Phoenix System tied to over 2,500 phishing domains since January 2025 and used in SMS-based campaigns.

  First reported: 30.04.2026 16:55
  1 source, 1 article
  Show sources

  • ThreatsDay Bulletin: SMS Blaster Busts, OpenEMR Flaws, 600K Roblox Hacks and 25 More Stories — thehackernews.com — 30.04.2026 16:55

• North Korean threat actor Famous Chollima was attributed to the npm package "js-logger-pack", which installs a WebSocket stealer via a postinstall hook to exfiltrate browser sessions, wallet credentials, cloud tokens, and keystrokes across Windows, macOS, and Linux.

  First reported: 30.04.2026 16:55
  1 source, 1 article
  Show sources

  • ThreatsDay Bulletin: SMS Blaster Busts, OpenEMR Flaws, 600K Roblox Hacks and 25 More Stories — thehackernews.com — 30.04.2026 16:55