Threat Alerts — Supply chain
A live, severity-rated stream of the threats actually hitting small and medium businesses worldwide, each with the one or two actions that matter most.
Active alerts
- Hijacked npm and Go Packages Hide a Stealer in Fake FontsHigh · Supply chain · 2026-06-29Researchers found two npm packages and 16 Go modules that quietly install a credential and crypto-wallet stealer the moment a developer opens the project in VS Code. The malware hides inside a fake font file and pulls its next stage from blockchain transactions to survive takedowns. It is the latest twist on North Korea's Contagious Interview campaign against developers.
- KDDI Breach Exposes Up to 14 Million Japanese Email LoginsHigh · Supply chain · 2026-06-29KDDI says attackers reached the email systems behind six Japanese internet providers and may have exposed up to 14.2 million email logins, including former and inactive accounts. The intrusion came through a flaw in third-party software and was caught on 17 June. Anyone using one of these mailboxes for business should reset the password and turn on two-step verification now.
- Supply Chain Worm Spreads From npm Into the Go EcosystemWatch · Supply chain · 2026-06-28The Shai-Hulud supply chain attack, also tracked as Miasma, has hit a fresh batch of npm packages and crossed into the Go ecosystem for the first time. It steals developer credentials and CI/CD secrets, then uses them to poison more packages automatically. Any business that builds software on npm or Go should check its pipelines.
- Hackers Drain 3 Million From Polymarket via a Third-Party ScriptHigh · Supply chain · 2026-06-27Polymarket lost close to 3 million dollars in crypto after attackers broke into one of its outside vendors and slipped malicious code into the website's front end. The company's own servers were never touched. It is a reminder that every third-party script on your site runs with your customers' trust.
- Texas Breach Exposes 3 Million Hunting Licence Holders' ID DocumentsHigh · Supply chain · 2026-06-21An attack on a third-party vendor that handles Texas hunting and fishing licences has exposed driver's licence numbers, passport numbers, home addresses, and contact details for 3,087,721 Texans. The unnamed vendor has not disclosed how the attacker got in, but Texas Cyber Command is investigating. Businesses should treat this as a reminder that vendor systems can become breach pathways even when your own security is solid.
- 144 Mastra npm Packages Hijacked to Spread a Crypto-Stealing TrojanHigh · Supply chain · 2026-06-17Attackers hijacked a former contributor's npm account and published 144 malicious packages under the Mastra AI framework's namespace, including @mastra/core, which sees over 900,000 weekly downloads. The packages pulled in a tampered dependency that ran a hidden crypto-stealing trojan during installation. Any developer or build server that installed an affected version since June 17 should treat the machine as compromised.
- GitHub Will Disable npm Install Scripts by Default to Stop Supply Chain AttacksWatch · Supply chain · 2026-06-12GitHub is turning off npm install scripts by default in npm version 12, due next month. The change blocks a common path attackers use to run malicious code during npm install. Any business whose developers or build servers pull npm packages should prepare now to avoid broken builds.
- Supply Chain Worm Compromises 73 Microsoft GitHub Repos and PyPI PackagesWatch · Supply chain · 2026-06-10A supply chain campaign called Miasma compromised 73 Microsoft repositories across GitHub and poisoned three versions of the durabletask Python package on PyPI, targeting developers who use AI coding tools. The attack harvested OIDC tokens from CI/CD pipelines and installed credential stealers on developer machines. All Microsoft repos have been restored; developers who pulled the malicious durabletask versions need to rotate credentials immediately.