Threat Research
Threat Research
Long-form analysis. Kill chains, post-mortems, deep dives.
Since 2019, ShinyHunters has gone from selling scraped databases on RaidForums to running the largest SaaS data-extortion operation in history — 300+ breaches, 90+ named victims, and well over a billion records. This is the full profile: the 2020–2026 timeline,...
In early June 2026, the npm account behind the WeaveDB/Arweave web3 ecosystem was used to push 36 packages carrying a 976 KB Rust ELF infostealer that loads an eBPF kernel rootkit, beacons over Tor, sweeps 86 credential variables, and self-propagates...
On March 31, 2026, a socially-engineered account takeover let North Korea's UNC1069 push two poisoned axios releases — 100M+ weekly downloads — that pulled in a typosquatted dependency whose postinstall hook (SILKBELL) dropped a cross-platform RAT. This is a ground-up...
On April 29, 2026, four SAP CAP npm packages were poisoned with a credential-stealing worm that reached over 1,100 developer repositories within hours. This post consolidates findings from eight vendor reports and adds deployable YARA, Sigma, and KQL detection rules....
The LiteLLM compromise that landed on PyPI yesterday is a textbook example of the “trust gradient” attack: a popular OSS package, a maintainer who reuses credentials across services, and a build pipeline that publishes whatever the maintainer pushes. Here’s the...