Threat Research

A software supply chain attack targeted the widely used axios NPM package by injecting a malicious dependency, plain-crypto-js, into specific versions, impacting millions of users. The malicious code acted as an obfuscated dropper that deployed the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux systems....

North Korean state-sponsored threat actors, including Lazarus and Kimsuky, continue to operate at a global scale, conducting espionage, financial crime, and access-driven attacks. While their malware, lures, and objectives evolve, these groups consistently reuse infrastructure such as IP addresses, certificates, open directories, and shared tooling....

In May 2025, the North Korean-aligned threat actor Famous Chollima began deploying a Python-based version of their remote access trojan (RAT) called PylangGhost, which shares many capabilities with the previously known GolangGhost RAT. The Python RAT targets Windows systems, while the Golang version continues to target MacOS users....

Unit 42 researchers have linked a North Korean IT worker group, CL-STA-0237, to phishing attacks using malware-infected video conference apps like BeaverTail. Operating from Laos, the group exploited a U.S. IT services company to secure a job at a major tech firm. CL-STA-0237 is part of a larger network supporting North Korea's illicit activities, including WMD and missile prog...