与「ThreatIntelligence」相关的搜索结果

Big News! 📣 @Ripple is now contributing high-confidence DPRK threat data through Crypto ISAC helping security teams move from awareness to action. The reality is North Korean threat actors aren’t just attacking crypto, they’re infiltrating it. The latest wave of attacks is shifting away from traditional exploits and toward something harder to detect: trusted access gained through social engineering, recruitment, and long-term deception. In our new blog with Ripple, we break down: - How these campaigns operate “from the inside out” - Why traditional indicators aren’t enough to catch them - And how shared, enriched threat intelligence is changing the equation Because in this environment, no single company can see the full picture alone. Read more 👇 #CryptoSecurity# #ThreatIntelligence# #DPRK# #Cybersecurity# #DigitalAssets# #CryptoISAC#

🚨 MistEye TI Alert 🚨 Based on recent intelligence, multiple high-frequency npm packages, including AntV and Echarts-for-react, as well as the durabletask Python SDK, have been compromised by Mini Shai-Hulud supply chain attacks. Notably: 1. May 19, 2026: The npm account atool (i@hust.cc) was compromised, allowing attackers to automatically publish 637 malicious versions across 317 packages within 22 minutes. 2. May 20, 2026 (Beijing Time): Within 35 minutes, attackers consecutively uploaded durabletask versions 1.4.1, 1.4.2, and 1.4.3 at 00:19, 00:49, and 00:54, bypassing normal release controls and impersonating official Microsoft releases. Additionally, these two events—the large-scale GitHub token leaks (potentially exposing official repositories) and the Grafana Labs targeted ransom attack—are likely related to the Mini Shai-Hulud supply chain compromise: • GitHub token leaks: Evidence suggests some leaked tokens may have been used to access and potentially sell official GitHub repositories. The leaks were caused by a compromised employee device, which involved a polluted VS Code extension. • Grafana Labs attack (May 16, 2026): A cybercrime group gained unauthorized access to their GitHub repositories, downloaded the codebase, and issued a ransom demand under threat of data disclosure. Affected Components / Targets: • npm packages: AntV, Echarts-for-react, and other high-frequency components in the npm ecosystem. • Python packages: durabletask 1.4.1, 1.4.2, 1.4.3. • Developer credentials and secrets: GitHub PATs, npm Tokens, AWS Keys, Kubernetes Secrets, Vault Tokens, SSH keys, and over 90 types of local sensitive files. • GitHub repositories: internal codebases potentially accessible via leaked tokens. • Grafana Labs’ repositories (downloaded by attackers; ransom demanded). Potential Attacker Actions: • Immediate exfiltration of cloud and local credentials upon package installation or import. • Unauthorized access to internal repositories and sensitive cloud infrastructure. • Lateral movement across developer machines, CI/CD pipelines, and cloud workloads. • Sale and exploitation of leaked GitHub tokens. • Supply chain compromise affecting dependent projects and production systems. • Ransom demands and potential data disclosure threats against organizations, including open source platforms. Detection Methods: • Audit npm and PyPI dependencies for affected packages: • npm: npm ls --all • Python: pip list --outdated or pip show durabletask to confirm versions. • Inspect lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml, requirements.txt, pipfile.lock) for malicious versions. • Review CI/CD pipelines and deployment logs for installation of compromised packages. • Monitor GitHub and cloud activity for unusual authentication events, including signs of leaked token usage. Mitigation Measures: • Immediately rotate all exposed GitHub, npm, PyPI, and cloud credentials. • Replace affected npm/PyPI packages with verified safe versions or freeze dependency versions. • Isolate potentially compromised systems and audit for credential theft or lateral movement. • Apply security patches and review post-compromise artifacts in CI/CD pipelines. Additional Recommendations: • Enable real-time monitoring and alerting for suspicious token or key usage. • Implement stricter dependency review policies and supply chain risk checks. • Educate teams to verify package authenticity before installation. • Monitor dark web or underground marketplaces for leaked credentials related to your organization. SlowMist will continue to track and monitor developments related to this incident, including potential new malicious releases or related exploits. MistEye has already pushed relevant threat intelligence to clients to help them proactively assess and mitigate risks.

🚨 SlowMist TI Alert 🚨 MistEye has received critical threat intelligence regarding an active supply chain attack compromising node-ipc, a foundational Node.js library. The malicious releases have been identified as versions 9.1.6, 9.2.3, and 12.0.1. Threat actors injected an obfuscated credential-stealing payload into the CommonJS bundle. Once loaded, it silently harvests over 90 categories of developer data—including AWS, Azure, GCP, SSH, K8s tokens, and Terraform states—and exfiltrates it to attacker-controlled infrastructure. We have synchronized this IOC with our clients immediately. Detection & Remediation: Please urgently audit your environments for exposure: • Dependencies: Run npm ls node-ipc --all to identify direct or transitive inclusions. • Lockfiles: Search package-lock.json, yarn.lock, or pnpm-lock.yaml for the affected version ranges. • CI/CD: Review pipeline jobs executed after May 14, 2026, that may have pulled loose semver updates (~9.1.x, ^12, etc.). ⚠️ Critical Action: If a compromised version was installed, assume certain compromise. Do not wait for exfiltration confirmation. Downgrade to a known safe version immediately and aggressively rotate all credentials, tokens, and environment secrets present on the affected machine or CI runner. As always, stay vigilant!

🚨 Threat Intelligence | Analysis of a Fake TronLink Chrome Extension Phishing Campaign 🚨 SlowMist’s MistEye threat monitoring system recently detected a high-risk phishing campaign targeting #TRON# wallet users. Attackers created a fake Chrome MV3 extension impersonating @TronLinkWallet, using Unicode bidirectional control characters and Cyrillic homoglyphs to spoof the brand name. Once installed, it loads a full phishing page via remote iframe — forming a “shell-core separation” credential theft chain. 🔍 Key Findings: 🔹 The extension name uses homoglyphs for disguise. Its Chrome Web Store page inherits the real extension’s high user count and positive reviews, significantly lowering review barriers. 🔹 Local code is extremely minimal — it only loads a remote page, making static analysis almost useless for detecting malice. 🔹 The remote phishing page perfectly replicates the official TronLink Web wallet UI, stealing mnemonic phrases, private keys, Keystore files, and passwords, then exfiltrating them in real time via Telegram Bot. 🔹 Built-in anti-analysis features (disables right-click, DevTools, drag-and-drop, printing) and geo/language-based redirection for Russian users to evade detection. ⚠️ This is not a simple fake extension — it employs advanced techniques like remote dynamic loading and anti-forensics, making it extremely difficult for traditional static scanners to catch. 🛡️ Immediate Actions : • Uninstall any suspicious extension (Malicious ID: ekjidonhjmneoompmjbjofpjmhklpjdd) • Official TronLink extension ID: ibnejdfjmmkpcnlpebklmnkoeoihofec • Clear localStorage and check for abnormal traffic • If credentials were entered, create a new wallet immediately and transfer assets 📖 Full technical analysis + IOCs + self-check guide here 👇

🚨 SlowMist TI Alert 🚨 MistEye has monitored threat intelligence regarding a sophisticated supply chain campaign targeting official Checkmarx distribution channels. The attack involved maliciously overwriting tags in the checkmarx/kics Docker Hub repository and injecting remote payload execution logic into specific extension versions, including checkmarx/cx-dev-assist (1.17.0, 1.19.0) and checkmarx/ast-results (2.63.0, 2.66.0). This campaign specifically aims to exfiltrate developer and cloud credentials to obtain GitHub and npm tokens for lateral propagation. Consequently, this propagation has led to the compromise of the @bitwarden/cli@2026.4.0 package, which now contains a malicious file named bw1.js. These IOCs have been synchronized with clients immediately. It is advised to avoid unverified checkmarx/kics Docker images and strictly refrain from using the compromised extension or CLI versions mentioned above. Immediate auditing of development environments and rotation of any potentially exposed credentials or tokens is strongly recommended. As always, stay vigilant!

🚨 SlowMist TI Alert 🚨 MistEye has received threat intelligence from the community regarding an active and highly destructive macOS infostealer known as "MacSync Stealer" (v1.1.2). Threat actors are targeting macOS users to extract sensitive data, including crypto wallets, browser credentials, system Keychains, and infrastructure keys (SSH/AWS/K8s). The malware uses fake AppleScript system dialogs to phish for login passwords and displays a fake "not supported" error after data exfiltration. We have synchronized this IOC with our clients immediately. Please do NOT execute unverified macOS scripts and be extremely cautious of unexpected system password prompts. In the event of a suspected compromise, immediate remediation is critical: rotate all infrastructure credentials (SSH/AWS/K8s), invalidate exposed Keychains, and swiftly migrate cryptocurrency assets to secure wallets. As always, stay vigilant!

🚨 SlowMist TI Alert 🚨 MistEye has received threat intelligence from the community regarding an active social engineering campaign utilizing fraudulent "Harmony Voice" links (harmony-voice[.]app). Threat actors are targeting individuals under the guise of project collaboration, requesting the use of this fake software for real-time translation. We have synchronized this IOC with our clients immediately. Please do NOT click on any harmony-voice[.]app/invite/room/... links, download associated software, or interact with unsolicited testing requests. As always, stay vigilant!