Threat Research

Threat Research

Threat Research

Long-form analysis. Kill chains, post-mortems, deep dives.

THREAT RESEARCH Trinity of Chaos: Anatomy of the ShinyHunters Data-Extortion Machine
· 9 min read

Since 2019, ShinyHunters has gone from selling scraped databases on RaidForums to running the largest SaaS data-extortion operation in history — 300+ breaches, 90+ named victims, and well over a billion records. This is the full profile: the 2020–2026 timeline,...

THREAT RESEARCH IronWorm: A Rust npm Worm with a Kernel eBPF Rootkit and Tor C2
· 15 min read

In early June 2026, the npm account behind the WeaveDB/Arweave web3 ecosystem was used to push 36 packages carrying a 976 KB Rust ELF infostealer that loads an eBPF kernel rootkit, beacons over Tor, sweeps 86 credential variables, and self-propagates...

THREAT RESEARCH Dissecting WAVESHAPER.V2: The macOS RAT Behind the Axios npm Attack
· 18 min read

On March 31, 2026, a socially-engineered account takeover let North Korea's UNC1069 push two poisoned axios releases — 100M+ weekly downloads — that pulled in a typosquatted dependency whose postinstall hook (SILKBELL) dropped a cross-platform RAT. This is a ground-up...

THREAT RESEARCH Mini Shai-Hulud: Dissecting the SAP CAP npm Supply Chain Worm
· 24 min read

On April 29, 2026, four SAP CAP npm packages were poisoned with a credential-stealing worm that reached over 1,100 developer repositories within hours. This post consolidates findings from eight vendor reports and adds deployable YARA, Sigma, and KQL detection rules....

THREAT RESEARCH Dissecting the LiteLLM Kill Chain
· 1 min read

The LiteLLM compromise that landed on PyPI yesterday is a textbook example of the “trust gradient” attack: a popular OSS package, a maintainer who reuses credentials across services, and a build pipeline that publishes whatever the maintainer pushes. Here’s the...