Mastra Supply Chain Compromise: easy-day-js Dropper Pulls a Cross-Platform RAT Into @mastra InstallsÂ
Executive Summary On June 17 2026, a coordinated supply chain attack pushed a malicious easy-day-js package into the dependency tree of the entire @mastra/* npm organization. Any npm install for a compromised @mastra/* package pulls [email protected], which runs a postinstall…
From “Encrypt Everything” to “Encrypt for the Quantum Era”: The Upwind Cloud Cryptography Framework
For most of the last decade, cloud security teams have lived by a simple slogan: encrypt everything. Encrypt at rest. Encrypt in transit. Use customer-managed keys. Rotate them. Pass the audit. Move on. That slogan just expired. In August 2024,…
Miasma: A Worming npm Supply Chain Attack on Red Hat Cloud Services
Executive Summary On June 1, 2026, unauthorized commits were pushed to repositories in the RedHatInsights GitHub organization and used to publish malicious versions of 32 packages under the @redhat-cloud-services npm scope. The campaign, tracked as Miasma, executes a 4.2 MB…
No Way Out? Bypassing the AWS Data Perimeter with Bedrock AgentCore
A novel Command-and-Control (C2) channel weaponizes legitimate AWS services to establish two data channels, successfully circumventing one of the cloud’s strongest security defenses. Status: Infiltration Channel is FIXED, Exfiltration Channel is OPEN. TL;DR This research was presented at fwd:cloudsec North…
Upwind Researcher Spotlight: Dan Gansel
“You have to map the core logic and syntax of the system before you can find the interesting primitives.” This June 1st, Dan Gansel will walk on stage at fwd:cloudsec 2026 in North America to demonstrate a fully functional command-and-control…
Newly Discovered durabletask Malware Targeted Kubernetes, Cloud Secrets, and CI/CD Infrastructure
Executive Summary Upwind identified a critical supply chain compromise involving durabletask==1.4.1, 1.4.2, and 1.4.3, three consecutive malicious releases of Microsoft’s Azure Durable Task Python SDK published to PyPI. The malicious release contains a lightweight dropper embedded directly into durabletask/init.py. On…
The New Face of Supply Chain Attacks: npm Malware Built for CI/CD and Cloud Compromise
Executive Summary Upwind is tracking an active software supply chain campaign impacting multiple npm packages commonly used across developer tooling, frontend frameworks, CI/CD pipelines, and cloud-native application environments. We identified malicious payloads designed specifically to target CI/CD systems, cloud identities,…
The Supply Chain Strikes Again: Credential-Stealing Malware Hidden in node-ipc
Executive Summary On May 14, 2026, malicious versions of the widely used node-ipc npm package were published through a legitimate maintainer account, introducing a sophisticated credential-stealing payload into a package with approximately 3.35 million monthly downloads. The malicious payload was…
Shai-Hulud: Here We Go Again – Dissecting a Supply Chain Worm Across the TanStack Ecosystem
Executive Summary A new wave of the Mini Shai-Hulud campaign compromised dozens of official @tanstack/* npm packages by abusing CI/CD publishing workflows and trusted npm release mechanisms. Unlike traditional dependency malware focused only on downstream execution, this operation behaves as…
Dirty Frag: A Universal Linux Local Privilege Escalation via ESP and RxRPC (CVE-2026-43284 / CVE-2026-43500)
Executive Summary Dirty Frag is a new Linux kernel local privilege escalation that combines two kernel bugs – one in the IPsec subsystem and one in RxRPC, giving any unprivileged local user a root shell on every major distribution. The…