ReversingLabs

ReversingLabs threat intelligence researchers have documented an active campaign exploiting a flaw in Google's Family Link parental controls feature to permanently lock victims out of their accounts — bypassing MFA entirely. The attack starts with a Discord phishing lure: a fake game download that harvests credentials and hijacks browser sessions. Attackers use that access to reclassify the victim as a minor, assign a malicious "parent" account, and reset the password — blocking every recovery path. Active victim reports date back nearly two years. Full technical breakdown, IoCs, and mitigations at the link. https://hubs.ly/Q04h8s-30 #ThreatIntelligence #Malware #AccountTakeover #Google #ReversingLabs

639 malicious npm packages. One compromised account. One hour. Mini Shai-Hulud rocks the OSS ecosystem again. Threat researchers caught active supply chain attack in near real time — and the scale is significant. The compromised npm maintainer account atool was used to push malicious versions across 323 unique packages, including echarts-for-react (~1.1M weekly downloads) and core @antv data visualization libraries. The payload is an obfuscated install-time credential stealer — harvesting AWS keys, GitHub PATs, npm tokens, SSH keys, and more — with self-propagating capability that used stolen tokens to inject and republish additional packages. That's how 639 versions shipped in under an hour. Researchers also found the worm forges Sigstore-compatible in-toto provenance attestations for every package it republishes — meaning secondary victims' packages carry what appears to be valid SLSA provenance. The SLSA attestation failure mode extends beyond the initial compromise to every worm-propagated package. "Trust but verify" just got harder when the attacker is signing malware with your stolen identity. ReversingLabs confirmed analyst-vetted malware in v3.2.7. The package has been removed from the registry. Review the full RL Spectra Assure Community record here: https://lnkd.in/e-9hwCy2 If you pulled any @antv or atool-maintained package today, rotate all credentials from that environment immediately.

Your peers have done the evaluation. Here's what they found when they put ReversingLabs Spectra Assure to the test on Gartner Peer Insights. Ready to try it out for yourself? Take the virtual tour: https://lnkd.in/eg34BKrF

ClickFix: Copy, paste, compromise. ReversingLabs threat analyst Toni Dujmovic is taking the floor at Span Cyber Security Arena 2026 to explain how ClickFix, an evolving social engineering attack, tricks users into executing malicious scripts via Windows Run or macOS Terminal. Dujmovic will demo the following: *Exploring the MaaS ecosystem fueling kits containing payloads like Lumma and DarkGate, *Analyzing a real-world April 2026 attack on a website, *Providing actionable IOCs, custom YARA rules and behavioral hardening strategies for defenders. Wednesday, 20 May 2026 11.00 – 11.45 AM CET Pical Resort 5*, Poreč, Croatia Connect with RL at the conference to learn more.

As RL CEO Mario Vuksan said: "This piece absolutely nails it — Saša Zdjelar's argument that Mythos is the "past-due notice" finally forcing the software industry to confront 20 years of deferred quality, leaked secrets, and known-exploited vulnerabilities is an urgent wake-up call. It could turn the procurement contract into the lever that could actually fix what regulators, EULAs, and CISO assurances never have!" Read more here: https://hubs.ly/Q04gP2dc0

The Shai-Hulud malware framework just went open source — deliberately. TeamPCP, the group behind recent compromises of 150+ npm and PyPI packages, dropped their full source code on GitHub with instructions to customize it for new attacks. This isn't a leak. It's a blueprint, handed to anyone who wants it. The framework harvests credentials from 100+ file paths, poisons CI/CD pipelines, and includes a deadman switch that wipes systems if stolen tokens are revoked. Traditional vulnerability scanning won't catch it. As ReversingLabs' Tomislav Peričin notes: Now is the time to invest in behavioral-based detection and supply chain integrity — before the copycat campaigns arrive. https://hubs.ly/Q04gNfcz0 #SupplyChainSecurity #AppSec #DevSecOps #CyberSecurity

ReversingLabs is thrilled to welcome our newest team members: Adam Green, Ivana Bodul, and Petra Livaja Mušac! We are thankful for their valuable skills and perspectives, which will contribute to our collective success. #GoTeam To learn more about open positions at ReversingLabs, visit our careers page: https://lnkd.in/dT4ukvB

State of Software Supply Chain Security in 2026: developers keep getting compromised by packages that have already been compromised. Yesterday, node-ipc was hit again. In any other era that would be a story. In 2026 it barely registers — we've watched far more popular packages fall in just the last few months. But node-ipc deserves a pause. It's been compromised TWICE in the last four years. And across that entire window, exactly one trustworthy version of the package has shipped: https://lnkd.in/dYn4EsAx How do we move forward when we keep stumbling back? How do we secure software when threat actors have turned open source into a big-game hunting ground — competing over who bags the biggest trophy. node-ipc isn't a cautionary tale. There are no more warning shots. No more wake-up calls. This is the default state now. The only way out is to stop trusting names and start verifying artifacts — every version, every time. Anything less is just waiting for the next post like this one.

This week in Chainmail: TeamPCP's open-sourcing of Shai-Hulud means its time to get serious about your software supply chain security. Plus: OpenAI confirms TanStack breach, and Mini-Shai Hulud raises new OSS trust concerns.

Mini Shai-Hulud is back. Here's what RL researchers know — and some key responses your team can take on this #SoftwareSupplyChain attack. https://hubs.ly/Q04gDc3g0