Rectifyq Cybersecurity News 🇲🇾

📃Title: macOS Stealer Spoofs Apple, Google, and Microsoft in a Single Attack Chain
📅Date: 2026-05-18
🔗References:
https://www.sentinelone.com/blog/shub-reaper-macos-stealer-spoofs-apple-google-and-microsoft-in-a-single-attack-chain/

🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="malware-analysis"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"

🔖MISP Galaxies:
• producer="SentinelOne"
mitre-attack-pattern=['T1560.001', 'T1539', 'T1074.001', 'T1036.005', 'T1555.001', 'T1204.002', 'T1082', 'T1059.002', 'T1005', 'T1555.003', 'T1083', 'T1566', 'T1059.004', 'T1027', 'T1567.002', 'T1543.001', 'T1070.004', 'T1071.001', 'T1102.001']

MISP event uuid: 9f05b1a5-3943-44f0-9c7a-e5523c92663d

SentinelOne

SHub Reaper | macOS Stealer Spoofs Apple, Google, and Microsoft in a Single Attack Chain

SHub Reaper bypasses Apple's Terminal mitigation, steals credentials and documents, and plants a persistent backdoor for continued access after infection.

20 views11:03

Rectifyq Cybersecurity News 🇲🇾

📃Title: Active Supply Chain Attack Compromises Packages on npm
📅Date: 2026-05-19
🔗References:
https://socket.dev/blog/antv-packages-compromised

🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="supply-chain"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"

🔖MISP Galaxies:
• producer="37ebf9d7-5e9a-466f-a42c-6e60313db868"
• malpedia="Shai-Hulud"
mitre-attack-pattern=['T1059.007', 'T1552.005', 'T1573.001', 'T1106', 'T1219', 'T1552.004', 'T1552.001', 'T1567.001', 'T1059.004', 'T1027', 'T1195.002', 'T1070.004', 'T1071.001', 'T1543.002', 'T1105', 'T1078.004', 'T1552.007']

MISP event uuid: 05e5980c-095e-4789-a521-73f3eb7e7b31

Socket

Mini Shai-Hulud Hits @antv Ecosystem, 639 Compromised npm Pa...

Active npm supply chain attack compromises @antv packages in a fast-moving malicious publish wave tied to Mini Shai-Hulud.

11 views11:03

Rectifyq Cybersecurity News 🇲🇾

📃Title: Copycat hits another npm package
📅Date: 2026-05-18
🔗References:
https://www.theregister.com/cyber-crime/2026/05/18/shai-hulud-copycat-hits-another-npm-package/5242180

🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="supply-chain"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"

🔖MISP Galaxies:
• malpedia="Shai-Hulud"
mitre-attack-pattern=['T1543', 'T1082', 'T1053', 'T1005', 'T1140', 'T1567', 'T1552.004', 'T1016', 'T1087', 'T1059', 'T1552.001', 'T1027', 'T1573', 'T1195.002', 'T1496', 'T1485', 'T1498', 'T1071.001', 'T1552.007']

MISP event uuid: e1975520-e8cf-4ff6-91ab-31ba2c8ec017

theregister

Shai-Hulud copycat worm infects yet another npm package

Plus three other stealers in three other packages, all from the same scumbag

8 views11:03

Rectifyq Cybersecurity News 🇲🇾

📃Title: Popular Go Decimal Library Targeted by Long-Running Typosquat with DNS Backdoor
📅Date: 2026-05-20
🔗References:
https://socket.dev/blog/popular-go-decimal-library-typosquat-dns-backdoor

🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="supply-chain"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"

🔖MISP Galaxies:
• producer="37ebf9d7-5e9a-466f-a42c-6e60313db868"
mitre-attack-pattern=['T1071.004', 'T1583.001', 'T1572', 'T1059', 'T1568', 'T1195.002']

MISP event uuid: dc882c2c-c7f2-45d3-b3fb-29500dcf9b18

Socket

A long-running Go typosquat impersonated the popular shopspring/decimal library and used DNS TXT records to execute commands.

10 views11:03

Rectifyq Cybersecurity News 🇲🇾

📃Title: Inside Banana RAT: From Build Server to Banking Fraud
📅Date: 2026-05-19
🔗References:
https://www.trendmicro.com/en_us/research/26/e/banana-rat.html

🔖Rectifyq Taxonomies:
Relevancy: ⚫ Not Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="malware-analysis"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"

🔖MISP Galaxies:
• producer="Trend Micro"
• target-information="Brazil"
mitre-attack-pattern=['T1053.005', 'T1113', 'T1056.001', 'T1036.005', 'T1204.002', 'T1573.001', 'T1115', 'T1082', 'T1140', 'T1055', 'T1185', 'T1112', 'T1083', 'T1041', 'T1059.001', 'T1566', 'T1001', 'T1027', 'T1071.001', 'T1564.001']

MISP event uuid: 0b84e4bb-274b-4d06-a180-f52c8b474e6d

Trend Micro

Inside SHADOW-WATER-063’s Banana RAT: From Build Server to Banking Fraud

11 views11:03

Rectifyq Cybersecurity News 🇲🇾

📃Title: Latest PyPi Compromise
📅Date: 2026-05-19
🔗References:
https://www.wiz.io/blog/durabletask-teampcp-supply-chain-attack

🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="supply-chain"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"

🔖MISP Galaxies:
• producer="Wiz Blog"
mitre-attack-pattern=['T1195.001', 'T1555.005', 'T1106', 'T1005', 'T1555.003', 'T1552.004', 'T1083', 'T1552.001', 'T1552.006', 'T1087.004', 'T1547.001', 'T1078', 'T1027', 'T1195.002', 'T1573.002', 'T1570', 'T1059.006', 'T1071.001', 'T1021.001', 'T1552.007']

MISP event uuid: 1e57b118-ee0f-4afc-a1fb-2b6687f960df

wiz.io

durabletask: TeamPCP's Latest PyPi Compromise | Wiz Blog

Discover the latest on malicious versions of the pypi package durabletask, matching TeamPCP tactics.

12 views11:03

Rectifyq Cybersecurity News 🇲🇾

📃Title: Exposing Fox Tempest: A malware-signing service operation
📅Date: 2026-05-19
🔗References:
https://www.microsoft.com/en-us/security/blog/2026/05/19/exposing-fox-tempest-a-malware-signing-service-operation/

🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="tool-profile"
• TA-category="Cybercrime"
• TA-category="Ransomware"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"

🔖MISP Galaxies:
• producer="Microsoft"
• target-information="United States"
• target-information="British Indian Ocean Territory"
• target-information="China"
• target-information="France"
• target-information="India"
mitre-attack-pattern=['T1204.002', 'T1553.002', 'T1082', 'T1140', 'T1567', 'T1218', 'T1136.001', 'T1083', 'T1059.001', 'T1566', 'T1562.001', 'T1078', 'T1027', 'T1036.001', 'T1486', 'T1195.002', 'T1189', 'T1071.001', 'T1105', 'T1021.001']

MISP event uuid: 7d52bcc6-a889-4f8a-a841-d5ae3b3714c5

Microsoft News

Exposing Fox Tempest: A malware-signing service operation

Fox Tempest is a financially motivated threat actor operating a malware‑signing‑as‑a‑service (MSaaS) used by other cybercriminals, including Vanilla Tempest and Storm groups, to more effectively distribute malicious code, including ransomware.

11 views11:03

Rectifyq Cybersecurity News 🇲🇾

📃Title: 9 Year-Old PHP Vulnerability Keeps Swinging As One of the Most Targeted Vulnerabilities
📅Date: 2026-05-19
🔗References:
https://www.vulncheck.com/blog/cve-2017-9841

🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: 💉 Vulnerability
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="critical-vuln"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"

🔖MISP Galaxies:
mitre-attack-pattern=['T1133', 'T1082', 'T1071', 'T1608.001', 'T1190', 'T1595.002', 'T1505.003', 'T1595', 'T1087', 'T1059', 'T1083', 'T1608', 'T1059.004', 'T1027', 'T1505', 'T1071.001', 'T1018', 'T1046', 'T1105']

MISP event uuid: aa2425c7-fd98-4e8e-84c7-d5a56208bbfe

VulnCheck

VulnCheck - Outpace Adversaries

Vulnerability intelligence that predicts avenues of attack with speed and accuracy.

15 views11:03

Rectifyq Cybersecurity News 🇲🇾

📃Title: [Ransomware] Unconfirmed: Sha******** Met***
📅Date: 2026-05-29
🔗References: https://www.ransomware.live/id/U2hhbnBvb3JuYW0gTWV0YWxzQGxhbWFzaHR1

🔖Rectifyq Taxonomies:
Relevancy: 🔴 Highly Relevant
Category: 💥 Data Breach
- TA-category="Ransomware"

🔖MISP Galaxies:
- target-information="Malaysia"
- sector="Manufacturing"
- ransomware="lamashtu"
mitre-attack-pattern=[]

MISP event uuid: f2f56dd8-e0fe-45c7-9e83-de9237df5602

Ransomware.live

Victim: Shanpoornam Metals – lamashtu

Ransomware.live discovered on 2026-05-29 that Shanpoornam Metals has been claimed by Lamashtu ransomware group

16 views19:00

Rectifyq Cybersecurity News 🇲🇾

Rectifyq Cybersecurity News 🇲🇾 pinned «📃Title: [Ransomware] Unconfirmed: Sha******** Met*** 📅Date: 2026-05-29 🔗References: https://www.ransomware.live/id/U2hhbnBvb3JuYW0gTWV0YWxzQGxhbWFzaHR1 🔖Rectifyq Taxonomies: Relevancy: 🔴 Highly Relevant Category: 💥 Data Breach - TA-category="Ransomware"…»

22:22

Rectifyq Cybersecurity News 🇲🇾

📃Title: New burrowing techniques
📅Date: 2026-05-20
🔗References:
https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques/

🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• sub-category="TA-profile"
• sub-category="campaign-analysis"
• target="broad-based"
• TA-category="APT"
• samples-found-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"

🔖MISP Galaxies:
• producer="ESET"
• target-information="Belgium"
• target-information="Czech Republic"
• target-information="Hungary"
• target-information="Italy"
• target-information="Nigeria"
• target-information="Poland"
• target-information="Serbia"
• target-information="South Africa"
• target-information="Spain"
• threat-actor="Webworm"
• online-service="7347d685-8e08-4ed9-9f34-264e5e4b567a"
• online-service="3b16bb5a-eb4f-4603-a909-bebc5df4a46d"
mitre-attack-pattern=['T1550.001', 'T1573.002', 'T1102.002', 'T1078.004', 'T1021.007', 'T1005', 'T1027.013', 'T1041', 'T1567.002', 'T1090.002', 'T1070.004', 'T1090.001', 'T1074.001', 'T1112', 'T1090.003', 'T1547.001', 'T1074.002', 'T1053.005', 'T1583.004', 'T1132.001', 'T1070.006', 'T1608.002', 'T1583.003', 'T1588.006', 'T1595.002', 'T1071.001', 'T1584.006', 'T1059.003', 'T1595.003']

MISP event uuid: 55a58703-da62-4330-bd76-3189d2635e28

Welivesecurity

Webworm: New burrowing techniques

ESET researchers describe new tools and techniques that the Webworm APT group recently added to its arsenal.

12 views03:05

Rectifyq Cybersecurity News 🇲🇾

📃Title: PureLogs: Delivery via PawsRunner Steganography
📅Date: 2026-05-15
🔗References:
https://www.fortinet.com/blog/threat-research/purelogs-delivery-via-pawsrunner-steganography

🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• sub-category="campaign-analysis"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"

🔖MISP Galaxies:
• producer="Fortinet"
• malpedia="PureLogs Stealer"
mitre-attack-pattern=[]

MISP event uuid: 3c80a5eb-e55b-46df-87f5-aa09ba9bb5d2

Fortinet Blog

PureLogs: Delivery via PawsRunner Steganography

FortiGuard Labs has analyzed a steganography-based malware campaign that uses PawsRunner to deliver the PureLogs infostealer, highlighting evolving delivery methods and detection strategies.…

14 views03:05

Rectifyq Cybersecurity News 🇲🇾

📃Title: The Worm That Keeps on Digging: Latest Wave
📅Date: 2026-05-19
🔗References:
https://www.wiz.io/blog/mini-shai-hulud-teampcp-hits-antv-supply-chain

🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="supply-chain"
• target="broad-based"
• samples-found-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"

🔖MISP Galaxies:
• producer="Wiz Blog"
• malpedia="Shai-Hulud"
• online-service="3b16bb5a-eb4f-4603-a909-bebc5df4a46d"
mitre-attack-pattern=['T1059.007', 'T1539', 'T1555.003', 'T1552.004', 'T1552.001', 'T1567.001', 'T1552.006', 'T1102.003', 'T1574.010', 'T1195.002', 'T1102.002', 'T1059.006', 'T1543.001', 'T1071.001', 'T1543.002', 'T1105', 'T1102.001']

MISP event uuid: a8121f4e-198f-47f3-a649-0b881e64d745

wiz.io

The Worm That Keeps on Digging: TeamPCP Hits @antv in Latest Wave | Wiz Blog

Multi-ecosystem supply chain compromise by TeamPCP targets GitHub, NPM, and VSCode to steal credentials and establish persistence.

10 views03:05

Rectifyq Cybersecurity News 🇲🇾

📃Title: Fresh mischief and digital shenanigans
📅Date: 2026-05-14
🔗References:
https://www.welivesecurity.com/en/eset-research/frostyneighbor-fresh-mischief-digital-shenanigans/

🔖Rectifyq Taxonomies:
Relevancy: ⚫ Not Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• TA-category="APT"
• target="broad-based"
• samples-found-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"

🔖MISP Galaxies:
• producer="ESET"
• target-information="Lithuania"
• target-information="Poland"
• target-information="Ukraine"
• threat-actor="FrostyNeighbor"
• region="151 - Eastern Europe"
• sector="Government, Administration"
• sector="Military"
• malpedia="Cobalt Strike"
• malpedia="PicassoLoader"
mitre-attack-pattern=['T1053.005', 'T1583', 'T1036.005', 'T1204.002', 'T1566.001', 'T1082', 'T1059', 'T1608', 'T1057', 'T1041', 'T1060', 'T1588.002', 'T1027', 'T1071.001', 'T1027.009']

MISP event uuid: 62c6b987-cf0c-4a4b-9c57-a5a107789688

Welivesecurity

FrostyNeighbor: Fresh mischief and digital shenanigans

ESET researchers uncovered new activities attributed to FrostyNeighbor, updating its compromise chain to support the group’s continual cyberespionage operations.

10 views03:05

Rectifyq Cybersecurity News 🇲🇾

📃Title: Ghost CMS Mass Compromised via CVE-2026-26980, Now Fueling ClickFix Attacks
📅Date: 2026-05-21
🔗References:
https://blog.xlab.qianxin.com/ghost-cms-mass-compromised-via-cve-2026-26980-now-fueling-clickfix-attacks/

🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="intrusion-analysis"
• sub-category="critical-vuln"
• sub-category="campaign-analysis"
• target="broad-based"
• samples-found-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"

🔖MISP Galaxies:
mitre-attack-pattern=['T1218.011', 'T1132.001', 'T1059.007', 'T1140', 'T1190', 'T1583.001', 'T1055', 'T1102', 'T1583.006', 'T1204', 'T1059.001', 'T1212', 'T1547.001', 'T1566', 'T1027', 'T1573', 'T1059.003', 'T1071.001', 'T1105']

MISP event uuid: 63a2d681-adb1-4ca3-a1ae-f2d332ea8de5

奇安信 X 实验室

Ghost CMS Mass Compromised via CVE-2026-26980, Now Fueling ClickFix Attacks

Background

On May 7, 2026, XLab detected a poisoning incident targeting Ghost CMS belonging to one of important clients. The attacker exploited the high-risk SQL injection vulnerability CVE-2026-26980 in Ghost CMS to obtain the target site's Admin API Key…

12 views03:05

Rectifyq Cybersecurity News 🇲🇾

📃Title: SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer
📅Date: 2026-05-21
🔗References:
https://blog.eclecticiq.com/seo-poisoning-campaign-leverages-gemini-and-claude-code-impersonation-to-deliver-infostealer

🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• sub-category="campaign-analysis"
• topic="ai"
• target="broad-based"
• samples-found-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"

🔖MISP Galaxies:
• producer="EclecticIQ"
• target-information="United States"
• target-information="United Kingdom"
mitre-attack-pattern=['T1552.001', 'T1555.003', 'T1552.002', 'T1005', 'T1140', 'T1562.001', 'T1189', 'T1573', 'T1041', 'T1083', 'T1562.006', 'T1105', 'T1204.002', 'T1204.001', 'T1027', 'T1059.001', 'T1057', 'T1608.006', 'T1539', 'T1218', 'T1497.001', 'T1071.001', 'T1555.004']

MISP event uuid: 6c37649e-5ce2-4c1b-8fb0-c90e251a93a2

Eclecticiq

SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer

Financially motivated eCrime actors will likely continue to expand opportunistic campaigns by impersonating AI platforms. These campaigns generate direct supply chain risk for enterprises, as threat actors target software developer tooling, including AI coding…

11 views03:05

Rectifyq Cybersecurity News 🇲🇾

📃Title: Politicians to Ditch Signal for Homegrown Apps
📅Date: 2026-05-21
🔗References:
https://news.risky.biz/srsly-risky-biz-politicians-to-ditch-signal-for-homegrown-apps/

🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="report"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"

🔖MISP Galaxies:
• target-information="United States"
• target-information="Belgium"
• target-information="France"
• target-information="Germany"
• target-information="Poland"
• target-information="United Kingdom"
mitre-attack-pattern=['T1557', 'T1539', 'T1114', 'T1530', 'T1552', 'T1185', 'T1534', 'T1566', 'T1056', 'T1213']

MISP event uuid: 73a9fa17-bb23-41c0-90a6-f3aa48fc2617

Risky.Biz

Srsly Risky Biz: Politicians to Ditch Signal for Homegrown Apps

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Amberleigh Jack. This week's edition is sponsored by Push Security.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your…

14 views03:05

Rectifyq Cybersecurity News 🇲🇾

📃Title: Misconfigured, Enrolled and Dormant: Anatomy of a P2Pinfect Kubernetes Compromise
📅Date: 2026-05-20
🔗References:
https://www.fortinet.com/blog/threat-research/misconfigured-enrolled-and-dormant-anatomy-of-a-p2pinfect-kubernetes-compromise

🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• workflow="enrichment"
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="intrusion-analysis"
• topic="cloud"
• target="targeted"
• samples-found-in="MalwareBazaar"
• samples-found-in="Tria.ge"

🔖MISP Galaxies:
• producer="Fortinet"
• branded-vulnerability="b2c5ca09-8d99-4138-ace7-99615894ab71"
mitre-attack-pattern=['T1110.001', 'T1133', 'T1071.004', 'T1053', 'T1190', 'T1036', 'T1563', 'T1070', 'T1552.001', 'T1098', 'T1059.004', 'T1571', 'T1027', 'T1486', 'T1573', 'T1496', 'T1027.002', 'T1071.001', 'T1105', 'T1090.001']

MISP event uuid: 6e45460a-4428-4eb4-865e-3a5a170b8b01

Fortinet Blog

Misconfigured, Enrolled and Dormant: Anatomy of a P2Pinfect Kubernetes Compromise

FortiGuard Labs analyzed several P2PInfect compromises in GKE clusters, showing how exposed Redis instances can enable persistent botnet enrollment, dormancy, and cloud runtime risk.…

14 views03:05

Rectifyq Cybersecurity News 🇲🇾

📃Title: Mini Shai Hulud: Compromised @antv npm packages enable CI/CD credential theft
📅Date: 2026-05-20
🔗References:
https://www.microsoft.com/en-us/security/blog/2026/05/20/mini-shai-hulud-compromised-antv-npm-packages-enable-ci-cd-credential-theft/

🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="supply-chain"
• target="broad-based"
• samples-found-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"

🔖MISP Galaxies:
• producer="Microsoft"
• malpedia="Shai-Hulud"
mitre-attack-pattern=['T1132.001', 'T1059.007', 'T1548.003', 'T1069.003', 'T1195.001', 'T1036.005', 'T1140', 'T1552.004', 'T1562.006', 'T1552.001', 'T1098.001', 'T1087.004', 'T1098', 'T1068', 'T1027', 'T1195.002', 'T1567.002', 'T1071.001', 'T1105', 'T1078.004']

MISP event uuid: ce69c87f-4292-4c48-9907-0aea83122aed

Microsoft News

Mini Shai Hulud: Compromised @antv npm packages enable CI/CD credential theft

Compromised @antv npm packages deploy the Mini Shai-Hulud payload to steal CI/CD secrets from Linux-based automation environments. The malware executes during npm install and targets credentials across GitHub, AWS, Kubernetes, Vault, npm, and 1Password platforms.

15 views03:05

Rectifyq Cybersecurity News 🇲🇾

📃Title: Operation Dragon Whistle: UNG002 Targets Chinese Academia via Weaponized Institutional Lure
📅Date: 2026-05-20
🔗References:
https://www.seqrite.com/blog/operation-dragon-whistle-ung002-targets-chinese-academia-via-weaponized-institutional-lure/

🔖Rectifyq Taxonomies:
Relevancy: ⚫ Not Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• mitre-att&ck="from-OTX"
• sub-category="intrusion-analysis"
• target="targeted"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"

🔖MISP Galaxies:
• producer="Seqrite"
• target-information="China"
• malpedia="Cobalt Strike"
mitre-attack-pattern=['T1574.002', 'T1005', 'T1622', 'T1564.001', 'T1105', 'T1204.002', 'T1036', 'T1106', 'T1027', 'T1057', 'T1620', 'T1129', 'T1566.001', 'T1218', 'T1497.001', 'T1497', 'T1059.005', 'T1071.001']

MISP event uuid: 271f7352-0846-4ffc-9841-b0e792521cbc

Seqrite Labs

Operation Dragon Whistle: UNG0002 Targets Chinese Academia via Weaponized Institutional Lure

<p>Table of Contents: Introduction: Key Targets: Infection Chain: Initial Findings about Campaign: Analysis of Decoys & Spear phishing Email: Technical Analysis: Stage1: Analysis of LNK File. Stage2: Analysis of VBS. Stage3: DLL Side Loading. Infrastructural…

20 views03:05

Rectifyq Cybersecurity News 🇲🇾

📃Title: Premium Deception: Uncovering a Global Android Carrier Billing Fraud Campaign
📅Date: 2026-05-20
🔗References:
https://zimperium.com/blog/premium-deception-uncovering-a-global-android-carrier-billing-fraud-campaign

🔖Rectifyq Taxonomies:
Relevancy: 🔴 Highly Relevant
Category: ⚔ Threat
• sub-category="campaign-analysis"
• topic="mobile-attack"
• target="broad-based"
• mitre-att&ck="from-original-src"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="x"
• action-taken="linkedin"

🔖MISP Galaxies:
• target-information="Croatia"
• target-information="Malaysia"
• target-information="Romania"
• target-information="Thailand"
• producer="Zimperium"
• online-service="b0c71d51-34fd-47b5-9eb4-dd406ffc607f"
mitre-attack-pattern=['T1412', 'T1476', 'T1646', 'T1643', 'T1417', 'T1582', 'T1603', 'T1628.001', 'T1426', 'T1422', 'T1437.001']

MISP event uuid: 441a0a60-4abf-4afc-8318-eee24dbf5b68

Zimperium

Premium Deception: Uncovering a Global Android Carrier Billing Fraud Campaign

true

16 views03:27

About

Blog

Apps

Platform