https://opensourcemalware.com/blog Security research and threat intelligence from OpenSourceMalware en-us Sat, 11 Apr 2026 01:39:48 GMT https://opensourcemalware.com/blog/contagious-interview-comprehensive https://opensourcemalware.com/blog/contagious-interview-comprehensive A single NPM package that led us to the Lazarus Groups latest campaign targeting software engineers using fake recruiters on LinkedIn, Fiverr and UpWork. Fri, 20 Nov 2026 00:00:00 GMT Paul McCarty https://opensourcemalware.com/blog/velora-hacked https://opensourcemalware.com/blog/velora-hacked The npm package @velora-dex/sdk version 9.4.1 contains malicious code that automatically downloads and executes a shell script from a remote server when the package is imported, giving attackers arbitrary code execution on the victim's system. Wed, 08 Apr 2026 00:00:00 GMT 6mile https://opensourcemalware.com/blog/social-engineering-playbook https://opensourcemalware.com/blog/social-engineering-playbook Account takeovers are some of the most harmful malware campaigns. Many start by compromising a maintainer account through social engineering. Wed, 01 Apr 2026 00:00:00 GMT Jenn https://opensourcemalware.com/blog/axios-compromised https://opensourcemalware.com/blog/axios-compromised The Axios NPM package has been compromised and the maintainer of the project has been locked out of their account. This will go down in history as one of the most successful software supply chain attacks ever Tue, 31 Mar 2026 00:00:00 GMT 6mile https://opensourcemalware.com/blog/tasksjacker-blog-post https://opensourcemalware.com/blog/tasksjacker-blog-post A technical deep-dive into the next generation of DPRK attacks that borrows from Shai-hulud and Contagious Interview to compromise dozens of GitHub users Tue, 31 Mar 2026 00:00:00 GMT 6mile https://opensourcemalware.com/blog/teampcp-purehvnc-campaign https://opensourcemalware.com/blog/teampcp-purehvnc-campaign New threat campaign using PureHVNC has been tied to TeamPCP. Tue, 31 Mar 2026 00:00:00 GMT 6mile https://opensourcemalware.com/blog/teampcp-supply-chain-campaign https://opensourcemalware.com/blog/teampcp-supply-chain-campaign TeamPCP executed a cascading multi-phase supply chain attack in March 2026, leveraging a single unrevoked credential stolen from Trivy's CI pipeline to compromise several ecosystems — Aqua Security, npm, LiteLLM/PyPI, Checkmarx, and Telnyx — harvesting CI/CD secrets at each stage to fund the next, while also deploying a geotargeted filesystem wiper against Iranian infrastructure. Thu, 26 Mar 2026 00:00:00 GMT Jenn https://opensourcemalware.com/blog/teampcp-litellm-pypi-supply-chain-attack https://opensourcemalware.com/blog/teampcp-litellm-pypi-supply-chain-attack TeamPCP compromised the LiteLLM maintainer's PyPI account and published malicious versions that steal credentials from every Python process on the host. The attack is connected to the prior Trivy GitHub Actions compromise and the aquasec-com org defacement. Wed, 25 Mar 2026 00:00:00 GMT 6mile https://opensourcemalware.com/blog/teampcp-aquasec-com-github-org-compromise https://opensourcemalware.com/blog/teampcp-aquasec-com-github-org-compromise TeamPCP compromised the aquasec-com GitHub organization, renaming all 44 repositories and exposing internal source code, CI/CD configs, and knowledge bases. Forensic analysis points to a stolen service account token from the prior Trivy GitHub Actions compromise. Mon, 23 Mar 2026 00:00:00 GMT 6mile https://opensourcemalware.com/blog/four-arms-one-monster https://opensourcemalware.com/blog/four-arms-one-monster Multiple security researchers identify new Glassworm attacks that have compromised 430+ GitHub projects and attacked GitHub, NPM, the VS Code marketplace and Open-VSX Mon, 16 Mar 2026 00:00:00 GMT 6mile https://opensourcemalware.com/blog/polinrider-attack https://opensourcemalware.com/blog/polinrider-attack A North Korean threat actor is implanting malware in hundreds of GitHub users and organizations repositories. This malware is the latest DPRK Beavertail variant that steals crednetials, crypto and installs a RAT. Sun, 08 Mar 2026 00:00:00 GMT 6mile https://opensourcemalware.com/blog/neutralinojs-compromise https://opensourcemalware.com/blog/neutralinojs-compromise The popular Neutralinojs framework was compromised in early March by DPRK threat actors as part of a larger attack that utilizes stolen GitHub credentials to force-push backdated malicious commits Fri, 06 Mar 2026 00:00:00 GMT 6mile https://opensourcemalware.com/blog/malicious-clawhub-skills-hide-in-plain-sight https://opensourcemalware.com/blog/malicious-clawhub-skills-hide-in-plain-sight Threat actors have evolved their ClawHub attack strategy by moving payloads to convincing fake websites, allowing them to continue their malicious campaign Mon, 09 Feb 2026 00:00:00 GMT 6mile https://opensourcemalware.com/blog/xpack-attack https://opensourcemalware.com/blog/xpack-attack A new NPM malware campaign weaponizes NPM to extort crypto payments from developers during package installation Mon, 09 Feb 2026 00:00:00 GMT 6mile https://opensourcemalware.com/blog/clawdbot-skills-ganked-your-crypto https://opensourcemalware.com/blog/clawdbot-skills-ganked-your-crypto Malicious ClawdBot Skills Target ByBit, Polymarket, Axiom, Reddit and LinkedIn to Install Malware Sun, 01 Feb 2026 00:00:00 GMT 6mile https://opensourcemalware.com/blog/contagious-code-fake-font https://opensourcemalware.com/blog/contagious-code-fake-font North Korean Lazarus Group creates new version of Contagious Interview that uses VS Code tasks to lauch malware hiding in fake fonts Wed, 28 Jan 2026 00:00:00 GMT Paul McCarty https://opensourcemalware.com/blog/oss-maintainters-vscode-tasks-compromised https://opensourcemalware.com/blog/oss-maintainters-vscode-tasks-compromised At least 21 small OSS maintainers hit in 72 hours via malicious VS Code task configurations Mon, 26 Jan 2026 00:00:00 GMT 6mile https://opensourcemalware.com/blog/contagious-interview-malware-comparisons https://opensourcemalware.com/blog/contagious-interview-malware-comparisons A deep-dive analysis on the different malware used across the contagious-interview threat campaigns. What do they steal? How do they maintain persistence? Do they target crypto wallets? Sat, 24 Jan 2026 00:00:00 GMT Paul McCarty https://opensourcemalware.com/blog/contagious-interview-developer-best-practices https://opensourcemalware.com/blog/contagious-interview-developer-best-practices A single NPM package that led us to the Lazarus Groups latest campaign targeting software engineers using fake recruiters on LinkedIn, Fiverr and UpWork. Tue, 20 Jan 2026 00:00:00 GMT Paul McCarty https://opensourcemalware.com/blog/one-api-to-query-them-all https://opensourcemalware.com/blog/one-api-to-query-them-all Introducing the unified check-malicious API endpoint - a single, standardized way to query packages, repositories, URLs, and domains for malicious content. Sat, 10 Jan 2026 00:00:00 GMT OpenSource Malware Team https://opensourcemalware.com/blog/contagious-interview-malicious-dictionary https://opensourcemalware.com/blog/contagious-interview-malicious-dictionary North Korean threat actors are hiding multi-stage malware droppers in VSCode configuration files, disguised as spell-check dictionaries, to compromise developers through fake job interviews and establish persistent backdoors with remote code execution capabilities. Tue, 23 Dec 2025 00:00:00 GMT Paul McCarty https://opensourcemalware.com/blog/elf-stats-spam-campaign https://opensourcemalware.com/blog/elf-stats-spam-campaign Security research and threat intelligence. Wed, 03 Dec 2025 00:00:00 GMT 6mile https://opensourcemalware.com/blog/contagious-interview-vscode https://opensourcemalware.com/blog/contagious-interview-vscode Security research and threat intelligence. Sat, 29 Nov 2025 00:00:00 GMT 6mile https://opensourcemalware.com/blog/indonesianfoods-npm-worm https://opensourcemalware.com/blog/indonesianfoods-npm-worm An in-depth analysis of the IndonesianFoods worm, a coordinated attack that published over 86,500 malicious packages to the NPM registry, affecting 60 NPM users and more than doubling the known number of malicious NPM packages. Thu, 13 Nov 2025 00:00:00 GMT Paul McCarty https://opensourcemalware.com/blog/security-best-practices https://opensourcemalware.com/blog/security-best-practices Essential security practices every developer should follow to protect their projects from malicious dependencies. Thu, 25 Jan 2024 00:00:00 GMT DevSec Team https://opensourcemalware.com/blog/supply-chain-attacks https://opensourcemalware.com/blog/supply-chain-attacks A deep dive into how attackers compromise open source packages and what you can do to protect your projects. Sat, 20 Jan 2024 00:00:00 GMT Security Research Team https://opensourcemalware.com/blog/getting-started https://opensourcemalware.com/blog/getting-started Learn how to contribute to the OpenSource Malware community and help protect the software supply chain from malicious packages. Mon, 15 Jan 2024 00:00:00 GMT OpenSource Malware Team