PhantomRaven campaign uploads over 100 poisoned libraries infecting developer environments
Researchers identified multiple malicious npm packages that delivered infostealers targeting Windows, Linux and macOS systems, exfiltrating browser, keyring and CI/CD credentials.
Attackers used typosquatted libraries and obfuscated payloads, with some campaigns (e.g., PhantomRaven) uploading over 100 packages and infecting tens of thousands of developer environments.
Supply chain abuse of developer ecosystems compromises build pipelines and source-control tokens, enabling large-scale lateral breaches through poisoned dependencies.
Dentsu subsidiary Merkle reports data breach exposing client and employee information
Global advertising conglomerate Dentsu disclosed that U.S.-based subsidiary Merkle suffered a cyber incident exposing client and employee information, prompting system shutdowns and forensic review.
Exfiltrated data may include personal identifiers, payroll and customer records, impacting marketing workflows and downstream service providers.
This highlights third-party and supply chain exposure risks within data-driven industries handling high volumes of PII.
Qilin ransomware abuses Windows Subsystem for Linux to deploy Linux encryptors on Windows
The Qilin group deployed a new technique leveraging Windows Subsystem for Linux (WSL) to execute ELF-based Linux encryptors on Windows hosts, bypassing many traditional EDR engines.
This cross-platform method allows ransomware to evade Windows-specific detections and encrypt files through Linux binaries.
Organizations running mixed Windows and Linux environments face expanded attack surfaces as threat actors exploit legitimate OS features for persistence.
Atroposia malware includes built-in vulnerability scanner for targeted exploitation
Security analysts discovered “Atroposia,” a modular malware family with a local vulnerability-scanning component that profiles host weaknesses before exploitation.
The scanner ranks patch gaps and insecure configurations, enabling attackers to prioritize privilege escalation and payload deployment.
Such adaptive targeting reduces noise and improves attack success rates against unpatched enterprise assets.
SideWinder APT leverages Microsoft ClickOnce installers for South Asian espionage operations
The SideWinder group adopted Microsoft ClickOnce installers delivered through spear-phishing PDF lures to deploy .NET stealer payloads targeting diplomatic and government entities in South Asia.
The infection chain uses legitimate installer mechanisms to bypass user suspicion and install persistent implants capable of data exfiltration and surveillance.
This campaign illustrates ongoing APT innovation in abusing trusted software distribution features for espionage.
