Find notable cyber news and cases, enriched with sources, timelines, and signals.

Npm typosquatting campaign distributing WinOS 4.0 implant

Campaign
First reported
Last updated
Happening score
H score 20
1 unique sources, 1 articles

Summary

Hide ▲

A npm typosquatting campaign distributing the WinOS 4.0 implant overlapped with malicious repository activity, indicating a broader coordinated distribution effort beyond one source. Researchers also found the same malicious loader infrastructure in other repositories, which raises the risk of repeated abuse across multiple packages. The overlap expands concern from a single malicious repo to a wider delivery operation.

Related Happenings

Miasma self-replicating supply chain attack campaign targeting open-source repositories

Campaign
H score83 First: 06.06.2026 09:58 Last: 06.06.2026 09:58 Sources 1

About this happening: The **Miasma** self-replicating supply-chain campaign has reached **73 Microsoft repositories** across **Azure**, **Azure-Samples**, **Microsoft**, and **MicrosoftDocs** on **GitH...

Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials

Campaign
H score56 First: 12.05.2026 14:29 Last: 12.05.2026 14:29 Sources 1

About this happening: The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...

Mini Shai-Hulud npm supply-chain malware wave

Malware Activity
H score68 First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...

Latest development: 09.06.2026 18:42

On June 5, Microsoft removed 73 repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations on GitHub after concerns about potential malicious content tied to the Miasma/Shai-Hulud supply-chain campaign. The action disrupted continuous integration pipelines and broke workflows that depended on Azure/functions-action, while Microsoft said it temporarily removed some repositories during its investigation.

Hugging Face shared-loader supply chain campaign

Campaign
H score79 First: 11.05.2026 10:05 Last: 11.05.2026 10:05 Sources 1

About this happening: A **Hugging Face** repository cluster appears to be part of a **broader supply chain campaign** that used **shared loaders** to push a stealer through open-source model downloads....

Mini Shai-Hulud SAP-related npm supply-chain campaign

Campaign
H score45 First: 29.04.2026 19:26 Last: 29.04.2026 19:26 Sources 1

About this happening: A new **Mini Shai-Hulud** supply-chain campaign is targeting **SAP-related npm packages**, putting **developer and CI/CD environments** at risk of credential theft and malicious p...

Latest development: 12.05.2026 11:50

Mini Shai-Hulud expands beyond the original SAP-related npm packages to compromise TanStack, UiPath, Mistral AI, OpenSearch, Guardrails AI, and DraftLab packages across npm and PyPI, with malicious payloads using router_init.js, GitHub Actions abuse, and exfiltration to filev2.getsession[.]org, api.masscan[.]cloud, or attacker-controlled GitHub repositories.

Timeline

  1. 09.05.2026 17:26 2 articles · 2mo ago

    WinOS 4.0 npm typosquatting overlap identified

    Campaign Scope Update

    HiddenLayer researchers noticed overlap between a malicious repository campaign and an npm typosquatting operation distributing the WinOS 4.0 implant, broadening concern beyond a single package and indicating a wider delivery effort.

    Show sources