Threat Research

A software supply chain attack targeted the widely used axios NPM package by injecting a malicious dependency, plain-crypto-js, into specific versions, impacting millions of users. The malicious code acted as an obfuscated dropper that deployed the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux systems....

Between late February and March 2026, TeamPCP launched a calculated series of escalating supply chain attacks. They compromised trusted open-source security tools like Trivy, KICS, and the AI gateway LiteLLM. The campaign also targeted the official Python SDK of Telnyx. Malicious infostealer payloads were injected into GitHub Actions and PyPI registries....

Researchers uncovered multiple cyber-espionage campaigns targeting a Southeast Asian government organization. The investigation traced Stately Taurus activity (June–Aug 2025), involving USB-spread USBFect (HIUPAN) malware deploying a PUBLOAD backdoor....

A supply chain attack compromised the LiteLLM AI proxy package on PyPI, with malicious versions delivering a multi-stage payload that harvested credentials, enabled Kubernetes lateral movement, and established persistent backdoor access for remote code execution....

UNC2814 is a PRC-aligned cyber espionage group active since at least 2017. It targets telecom and government sectors to steal communications intelligence and PII. The group has operated in 42 confirmed countries and over 70 suspected across multiple regions Africa, Asia, and the Americas....

In late February 2026, analysts detected malicious activity on Android devices linked to the Keenadu backdoor. Keenadu is a firmware-level infection embedded in libandroid_runtime.so, injecting itself into the Zygote process. Since Zygote spawns all apps, this gives attackers near-total control over infected devices....

DarkSword is a sophisticated iOS full-chain exploit leveraging multiple zero-day vulnerabilities to fully compromise devices running iOS 18.4 to 18.7. Since late 2025, it has been used by commercial surveillance vendors and state-sponsored actors across campaigns targeting regions including Saudi Arabia, Turkey, Malaysia, and Ukraine....

Boggy Serpens (also known as MuddyWater), an Iranian state-linked threat group associated with MOIS, continues to conduct cyberespionage campaigns targeting diplomatic entities and critical infrastructure sectors such as energy, maritime, and finance....

In March 2026, the team identified activity by a China-nexus threat actor targeting countries in the Persian Gulf region. The campaign used a multi-stage attack chain to deploy a PlugX backdoor variant on compromised systems. Both the shellcode and PlugX backdoor employed obfuscation techniques to hinder reverse engineering....

A state-sponsored threat cluster tracked as CL-STA-1087, suspected to be linked to China, has conducted a long-term cyber espionage campaign targeting military organizations in Southeast Asia since at least 2020. The attackers focused on collecting sensitive intelligence related to military capabilities, organizational structures, and cooperation with Western armed forces....