{ "feed_title": "Halting Problems Threat Intelligence Feed", "feed_description": "Aggregated machine-readable Indicators of Compromise (IOCs) from our active research.", "last_updated": "2026-05-25T23:16:24.742Z", "items_count": 20, "items": [ { "slug": "art-template-coruna-npm-compromise", "title": "art-template npm Coruna Browser Exploit Compromise", "summary": "The npm package art-template was compromised in versions 4.13.5 and 4.13.6 to inject remote browser-side JavaScript that redirected users into a Coruna-like iOS Safari exploit delivery chain.", "date": "2026-05-24", "severity": "high", "tags": [ "supply-chain", "npm", "browser", "javascript", "exploit-delivery" ], "sources_count": 1, "feed_url": "https://haltingproblems.com/analysis/art-template-coruna-npm-compromise/", "ioc_url": "https://haltingproblems.com/analysis/art-template-coruna-npm-compromise/ioc.json", "indicators": { "slug": "art-template-coruna-npm-compromise", "since": "2026-05-24T00:00:00Z", "until": "2026-05-24T23:59:59Z", "ecosystem": "npm npmjs.com", "packages": [ "art-template" ], "versions": [ "4.13.5", "4.13.6", "art-template 4.13.5", "art-template 4.13.6" ], "files": [ "lib/template-web.js", "49554fde7424c31c.js" ], "domains": [ "v3.jiathis.com", "utaq.cfww.shop", "cfww.shop", "l1ewsu3yjkqeroy.xyz", "ipv4.icanhazip.com" ], "urls": [ "https://v3.jiathis.com/code/jia.js?uid=artemplate", "https://v3.jiathis.com/code/art.js", "https://utaq.cfww.shop/gooll/gooll.html", "https://utaq.cfww.shop/gooll/49554fde7424c31c.js", "https://l1ewsu3yjkqeroy.xyz/api/ip-sync/sync" ], "ips": [], "hashes": [ "dd9c0268c8944e6ddf90d4d0c81aa843785b7a9ee965faa635841ed9fc0ba086", "387d7ea5ca733b1e7219c943f4b461877a8df0148adfef42b1538b6c398fbb41" ], "processPatterns": [], "networkPatterns": [ "browser requests to v3.jiathis.com/code/art.js", "browser requests to utaq.cfww.shop/gooll/", "POST or beacon to l1ewsu3yjkqeroy.xyz/api/ip-sync/sync" ] } }, { "slug": "laravel-lang-composer-tag-compromise", "title": "Laravel-Lang Composer Tag Rewrite RCE Compromise", "summary": "Laravel-Lang packages were compromised through rewritten Composer tags that loaded a PHP backdoor through Composer autoload and exposed developer, CI/CD, cloud, and application secrets.", "date": "2026-05-24", "severity": "critical", "tags": [ "supply-chain", "packagist", "composer", "laravel", "credential-theft" ], "sources_count": 2, "feed_url": "https://haltingproblems.com/analysis/laravel-lang-composer-tag-compromise/", "ioc_url": "https://haltingproblems.com/analysis/laravel-lang-composer-tag-compromise/ioc.json", "indicators": { "slug": "laravel-lang-composer-tag-compromise", "since": "2026-05-22T22:32:00Z", "until": "2026-05-24T23:59:59Z", "ecosystem": "composer packagist", "packages": [ "laravel-lang/lang", "laravel-lang/http-statuses", "laravel-lang/actions", "laravel-lang/attributes" ], "versions": [ "laravel-lang/lang@15.30.0", "laravel-lang/lang@15.28.5", "laravel-lang/lang@15.28.4", "laravel-lang/lang@15.28.3", "laravel-lang/lang@15.28.2", "laravel-lang/lang@15.28.1", "laravel-lang/lang@15.28.0", "laravel-lang/lang@15.27.0", "laravel-lang/lang@15.26.5", "laravel-lang/lang@15.26.4", "laravel-lang/lang@15.26.3", "laravel-lang/lang@15.26.2", "laravel-lang/lang@15.26.1", "laravel-lang/lang@15.26.0", "laravel-lang/lang@15.25.0", "laravel-lang/lang@15.24.5", "laravel-lang/lang@15.24.4", "laravel-lang/lang@15.24.3", "laravel-lang/lang@15.24.2", "laravel-lang/lang@15.24.1", "laravel-lang/lang@15.24.0", "laravel-lang/lang@15.23.3", "laravel-lang/lang@15.23.2", "laravel-lang/lang@15.23.1", "laravel-lang/lang@15.23.0", "laravel-lang/lang@15.22.8", "laravel-lang/lang@15.22.7", "laravel-lang/lang@15.22.6", "laravel-lang/lang@15.22.5", "laravel-lang/lang@15.22.4", "laravel-lang/lang@15.22.3", "laravel-lang/lang@15.22.2", "laravel-lang/lang@15.22.1", "laravel-lang/lang@15.22.0", "laravel-lang/lang@15.21.1", "laravel-lang/lang@15.21.0", "laravel-lang/lang@15.20.2", "laravel-lang/lang@15.20.1", "laravel-lang/lang@15.20.0", "laravel-lang/lang@15.19.9", "laravel-lang/lang@15.19.8", "laravel-lang/lang@15.19.7", "laravel-lang/lang@15.19.6", "laravel-lang/lang@15.19.5", "laravel-lang/lang@15.19.4", "laravel-lang/lang@15.19.3", "laravel-lang/lang@15.19.2", "laravel-lang/lang@15.19.1", "laravel-lang/lang@15.19.0", "laravel-lang/lang@15.18.0", "laravel-lang/lang@15.17.1", "laravel-lang/lang@15.17.0", "laravel-lang/lang@15.16.0", "laravel-lang/lang@15.15.0", "laravel-lang/lang@15.14.0", "laravel-lang/lang@15.13.0", "laravel-lang/lang@15.12.1", "laravel-lang/lang@15.12.0", "laravel-lang/lang@15.11.7", "laravel-lang/lang@15.11.6", "laravel-lang/lang@15.11.5", "laravel-lang/lang@15.11.4", "laravel-lang/lang@15.11.3", "laravel-lang/lang@15.11.2", "laravel-lang/lang@15.11.1", "laravel-lang/lang@15.11.0", "laravel-lang/lang@15.10.0", "laravel-lang/lang@15.9.7", "laravel-lang/lang@15.9.6", "laravel-lang/lang@15.9.5", "laravel-lang/lang@15.9.4", "laravel-lang/lang@15.9.3", "laravel-lang/lang@15.9.2", "laravel-lang/lang@15.9.1", "laravel-lang/lang@15.9.0", "laravel-lang/lang@15.8.1", "laravel-lang/lang@15.8.0", "laravel-lang/lang@15.7.5", "laravel-lang/lang@15.7.4", "laravel-lang/lang@15.7.3", "laravel-lang/lang@15.7.2", "laravel-lang/lang@15.7.1", "laravel-lang/lang@15.7.0", "laravel-lang/lang@15.6.2", "laravel-lang/lang@15.6.1", "laravel-lang/lang@15.6.0", "laravel-lang/lang@15.5.6", "laravel-lang/lang@15.5.5", "laravel-lang/lang@15.5.4", "laravel-lang/lang@15.5.3", "laravel-lang/lang@15.5.2", "laravel-lang/lang@15.5.1", "laravel-lang/lang@15.5.0", "laravel-lang/lang@15.4.1", "laravel-lang/lang@15.4.0", "laravel-lang/lang@15.3.1", "laravel-lang/lang@15.3.0", "laravel-lang/lang@15.2.2", "laravel-lang/lang@15.2.1", "laravel-lang/lang@15.2.0", "laravel-lang/lang@15.1.5", "laravel-lang/lang@15.1.4", "laravel-lang/lang@15.1.3", "laravel-lang/lang@15.1.2", "laravel-lang/lang@15.1.1", "laravel-lang/lang@15.1.0", "laravel-lang/lang@15.0.0", "laravel-lang/lang@14.8.1", "laravel-lang/lang@14.8.0", "laravel-lang/lang@14.7.0", "laravel-lang/lang@14.6.0", "laravel-lang/lang@14.5.2", "laravel-lang/lang@14.5.1", "laravel-lang/lang@14.5.0", "laravel-lang/lang@14.4.0", "laravel-lang/lang@14.3.7", "laravel-lang/lang@14.3.6", "laravel-lang/lang@14.3.5", "laravel-lang/lang@14.3.4", "laravel-lang/lang@14.3.3", "laravel-lang/lang@14.3.2", "laravel-lang/lang@14.3.1", "laravel-lang/lang@14.3.0", "laravel-lang/lang@14.2.9", "laravel-lang/lang@14.2.8", "laravel-lang/lang@14.2.7", "laravel-lang/lang@14.2.6", "laravel-lang/lang@14.2.5", "laravel-lang/lang@14.2.4", "laravel-lang/lang@14.2.3", "laravel-lang/lang@14.2.2", "laravel-lang/lang@14.2.1", "laravel-lang/lang@14.2.0", "laravel-lang/lang@14.1.5", "laravel-lang/lang@14.1.4", "laravel-lang/lang@14.1.3", "laravel-lang/lang@14.1.2", "laravel-lang/lang@14.1.1", "laravel-lang/lang@14.1.0", "laravel-lang/lang@14.0.1", "laravel-lang/lang@14.0.0", "laravel-lang/lang@13.12.1", "laravel-lang/lang@13.12.0", "laravel-lang/lang@13.11.0", "laravel-lang/lang@13.10.0", "laravel-lang/lang@13.9.1", "laravel-lang/lang@13.9.0", "laravel-lang/lang@13.8.0", "laravel-lang/lang@13.7.0", "laravel-lang/lang@13.6.1", "laravel-lang/lang@13.6.0", "laravel-lang/lang@13.5.1", "laravel-lang/lang@13.5.0", "laravel-lang/lang@13.4.0", "laravel-lang/lang@13.3.0", "laravel-lang/lang@13.2.8", "laravel-lang/lang@13.2.7", "laravel-lang/lang@13.2.6", "laravel-lang/lang@13.2.5", "laravel-lang/lang@13.2.4", "laravel-lang/lang@13.2.3", "laravel-lang/lang@13.2.2", "laravel-lang/lang@13.2.1", "laravel-lang/lang@13.2.0", "laravel-lang/lang@13.1.4", "laravel-lang/lang@13.1.3", "laravel-lang/lang@13.1.2", "laravel-lang/lang@13.1.1", "laravel-lang/lang@13.1.0", "laravel-lang/lang@13.0.1", "laravel-lang/lang@13.0.0", "laravel-lang/lang@12.24.3", "laravel-lang/lang@12.24.2", "laravel-lang/lang@12.24.1", "laravel-lang/lang@12.24.0", "laravel-lang/lang@12.23.2", "laravel-lang/lang@12.23.1", "laravel-lang/lang@12.23.0", "laravel-lang/lang@12.22.1", "laravel-lang/lang@12.22.0", "laravel-lang/lang@12.21.10", "laravel-lang/lang@12.21.9", "laravel-lang/lang@12.21.8", "laravel-lang/lang@12.21.7", "laravel-lang/lang@12.21.6", "laravel-lang/lang@12.21.5", "laravel-lang/lang@12.21.4", "laravel-lang/lang@12.21.3", "laravel-lang/lang@12.21.2", "laravel-lang/lang@12.21.1", "laravel-lang/lang@12.21.0", "laravel-lang/lang@12.20.5", "laravel-lang/lang@12.20.4", "laravel-lang/lang@12.20.3", "laravel-lang/lang@12.20.2", "laravel-lang/lang@12.20.1", "laravel-lang/lang@12.20.0", "laravel-lang/lang@12.19.4", "laravel-lang/lang@12.19.3", "laravel-lang/lang@12.19.2", "laravel-lang/lang@12.19.1", "laravel-lang/lang@12.19.0", "laravel-lang/lang@12.18.6", "laravel-lang/lang@12.18.5", "laravel-lang/lang@12.18.4", "laravel-lang/lang@12.18.3", "laravel-lang/lang@12.18.2", "laravel-lang/lang@12.18.1", "laravel-lang/lang@12.18.0", "laravel-lang/lang@12.17.1", "laravel-lang/lang@12.17.0", "laravel-lang/lang@12.16.1", "laravel-lang/lang@12.16.0", "laravel-lang/lang@12.15.2", "laravel-lang/lang@12.15.1", "laravel-lang/lang@12.15.0", "laravel-lang/lang@12.14.2", "laravel-lang/lang@12.14.1", "laravel-lang/lang@12.14.0", "laravel-lang/lang@12.13.1", "laravel-lang/lang@12.13.0", "laravel-lang/lang@12.12.0", "laravel-lang/lang@12.11.5", "laravel-lang/lang@12.11.4", "laravel-lang/lang@12.11.3", "laravel-lang/lang@12.11.2", "laravel-lang/lang@12.11.1", "laravel-lang/lang@12.11.0", "laravel-lang/lang@12.10.0", "laravel-lang/lang@12.9.9", "laravel-lang/lang@12.9.8", "laravel-lang/lang@12.9.7", "laravel-lang/lang@12.9.6", "laravel-lang/lang@12.9.5", "laravel-lang/lang@12.9.4", "laravel-lang/lang@12.9.3", "laravel-lang/lang@12.9.2", "laravel-lang/lang@12.9.1", "laravel-lang/lang@12.9.0", "laravel-lang/lang@12.8.4", "laravel-lang/lang@12.8.2", "laravel-lang/lang@12.8.1", "laravel-lang/lang@12.8.0", "laravel-lang/lang@12.7.3", "laravel-lang/lang@12.7.2", "laravel-lang/lang@12.7.1", "laravel-lang/lang@12.7.0", "laravel-lang/lang@12.6.1", "laravel-lang/lang@12.6.0", "laravel-lang/lang@12.5.8", "laravel-lang/lang@12.5.7", "laravel-lang/lang@12.5.6", "laravel-lang/lang@12.5.5", "laravel-lang/lang@12.5.4", "laravel-lang/lang@12.5.3", "laravel-lang/lang@12.5.2", "laravel-lang/lang@12.5.1", "laravel-lang/lang@12.5.0", "laravel-lang/lang@12.4.0", "laravel-lang/lang@12.3.2", "laravel-lang/lang@12.3.1", "laravel-lang/lang@12.3.0", "laravel-lang/lang@12.2.3", "laravel-lang/lang@12.2.2", "laravel-lang/lang@12.2.1", "laravel-lang/lang@12.2.0", "laravel-lang/lang@12.1.5", "laravel-lang/lang@12.1.4", "laravel-lang/lang@12.1.3", "laravel-lang/lang@12.1.2", "laravel-lang/lang@12.1.1", "laravel-lang/lang@12.1.0", "laravel-lang/lang@12.0.10", "laravel-lang/lang@12.0.9", "laravel-lang/lang@12.0.8", "laravel-lang/lang@12.0.7", "laravel-lang/lang@12.0.6", "laravel-lang/lang@12.0.5", "laravel-lang/lang@12.0.4", "laravel-lang/lang@12.0.3", "laravel-lang/lang@12.0.2", "laravel-lang/lang@12.0.1", "laravel-lang/lang@12.0.0", "laravel-lang/lang@11.0.20", "laravel-lang/lang@11.0.19", "laravel-lang/lang@11.0.18", "laravel-lang/lang@11.0.17", "laravel-lang/lang@11.0.16", "laravel-lang/lang@11.0.15", "laravel-lang/lang@11.0.14", "laravel-lang/lang@11.0.13", "laravel-lang/lang@11.0.12", "laravel-lang/lang@11.0.11", "laravel-lang/lang@11.0.10", "laravel-lang/lang@11.0.9", "laravel-lang/lang@11.0.8", "laravel-lang/lang@11.0.7", "laravel-lang/lang@11.0.6", "laravel-lang/lang@11.0.5", "laravel-lang/lang@11.0.4", "laravel-lang/lang@11.0.3", "laravel-lang/lang@11.0.2", "laravel-lang/lang@11.0.1", "laravel-lang/lang@11.0.0", "laravel-lang/lang@10.9.6", "laravel-lang/lang@10.9.5", "laravel-lang/lang@10.9.4", "laravel-lang/lang@10.9.3", "laravel-lang/lang@10.9.2", "laravel-lang/lang@10.9.1", "laravel-lang/lang@10.9.0", "laravel-lang/lang@10.8.0", "laravel-lang/lang@10.7.2", "laravel-lang/lang@10.7.1", "laravel-lang/lang@10.7.0", "laravel-lang/lang@10.6.0", "laravel-lang/lang@10.5.2", "laravel-lang/lang@10.5.1", "laravel-lang/lang@10.5.0", "laravel-lang/lang@10.4.14", "laravel-lang/lang@10.4.13", "laravel-lang/lang@10.4.12", "laravel-lang/lang@10.4.11", "laravel-lang/lang@10.4.10", "laravel-lang/lang@10.4.9", "laravel-lang/lang@10.4.8", "laravel-lang/lang@10.4.7", "laravel-lang/lang@10.4.6", "laravel-lang/lang@10.4.5", "laravel-lang/lang@10.4.4", "laravel-lang/lang@10.4.3", "laravel-lang/lang@10.4.2", "laravel-lang/lang@10.4.1", "laravel-lang/lang@10.4.0", "laravel-lang/lang@10.3.0", "laravel-lang/lang@10.2.0", "laravel-lang/lang@10.1.12", "laravel-lang/lang@10.1.11", "laravel-lang/lang@10.1.10", "laravel-lang/lang@10.1.9", "laravel-lang/lang@10.1.8", "laravel-lang/lang@10.1.7", "laravel-lang/lang@10.1.6", "laravel-lang/lang@10.1.5", "laravel-lang/lang@10.1.4", "laravel-lang/lang@10.1.3", "laravel-lang/lang@10.1.2", "laravel-lang/lang@10.1.1", "laravel-lang/lang@10.1.0", "laravel-lang/lang@10.0.2", "laravel-lang/lang@10.0.1", "laravel-lang/lang@10.0.0", "laravel-lang/lang@9.1.3", "laravel-lang/lang@9.1.2", "laravel-lang/lang@9.1.1", "laravel-lang/lang@9.1.0", "laravel-lang/lang@9.0.1", "laravel-lang/lang@9.0.0", "laravel-lang/lang@8.1.3", "laravel-lang/lang@8.1.2", "laravel-lang/lang@8.1.1", "laravel-lang/lang@8.1.0", "laravel-lang/lang@8.0.3", "laravel-lang/lang@8.0.2", "laravel-lang/lang@8.0.1", "laravel-lang/lang@8.0.0", "laravel-lang/lang@7.0.9", "laravel-lang/lang@7.0.8", "laravel-lang/lang@7.0.7", "laravel-lang/lang@7.0.6", "laravel-lang/lang@7.0.5", "laravel-lang/lang@7.0.4", "laravel-lang/lang@7.0.3", "laravel-lang/lang@7.0.2", "laravel-lang/lang@7.0.1", "laravel-lang/lang@7.0.0", "laravel-lang/lang@6.1.4", "laravel-lang/lang@6.1.3", "laravel-lang/lang@6.1.2", "laravel-lang/lang@6.1.1", "laravel-lang/lang@6.1.0", "laravel-lang/lang@6.0.3", "laravel-lang/lang@6.0.2", "laravel-lang/lang@6.0.1", "laravel-lang/lang@6.0.0", "laravel-lang/lang@5.0.0", "laravel-lang/lang@4.0.11", "laravel-lang/lang@4.0.10", "laravel-lang/lang@4.0.9", "laravel-lang/lang@4.0.8", "laravel-lang/lang@4.0.7", "laravel-lang/lang@4.0.6", "laravel-lang/lang@4.0.5", "laravel-lang/lang@4.0.4", "laravel-lang/lang@4.0.3", "laravel-lang/lang@4.0.2", "laravel-lang/lang@4.0.1", "laravel-lang/lang@4.0.0", "laravel-lang/lang@3.0.62", "laravel-lang/lang@3.0.61", "laravel-lang/lang@3.0.60", "laravel-lang/lang@3.0.59", "laravel-lang/lang@3.0.58", "laravel-lang/lang@3.0.57", "laravel-lang/lang@3.0.56", "laravel-lang/lang@3.0.54", "laravel-lang/lang@3.0.53", "laravel-lang/lang@3.0.52", "laravel-lang/lang@3.0.51", "laravel-lang/lang@3.0.50", "laravel-lang/lang@3.0.49", "laravel-lang/lang@3.0.48", "laravel-lang/lang@3.0.47", "laravel-lang/lang@3.0.46", "laravel-lang/lang@3.0.45", "laravel-lang/lang@3.0.44", "laravel-lang/lang@3.0.43", "laravel-lang/lang@3.0.42", "laravel-lang/lang@3.0.41", "laravel-lang/lang@3.0.40", "laravel-lang/lang@3.0.39", "laravel-lang/lang@3.0.38", "laravel-lang/lang@3.0.37", "laravel-lang/lang@3.0.36", "laravel-lang/lang@3.0.35", "laravel-lang/lang@3.0.34", "laravel-lang/lang@3.0.33", "laravel-lang/lang@3.0.32", "laravel-lang/lang@3.0.31", "laravel-lang/lang@3.0.30", "laravel-lang/lang@3.0.29", "laravel-lang/lang@3.0.28", "laravel-lang/lang@3.0.27", "laravel-lang/lang@3.0.26", "laravel-lang/lang@3.0.25", "laravel-lang/lang@3.0.24", "laravel-lang/lang@3.0.23", "laravel-lang/lang@3.0.22", "laravel-lang/lang@3.0.21", "laravel-lang/lang@3.0.20", "laravel-lang/lang@3.0.19", "laravel-lang/lang@3.0.18", "laravel-lang/lang@3.0.17", "laravel-lang/lang@3.0.16", "laravel-lang/lang@3.0.15", "laravel-lang/lang@3.0.14", "laravel-lang/lang@3.0.13", "laravel-lang/lang@3.0.12", "laravel-lang/lang@3.0.11", "laravel-lang/lang@3.0.10", "laravel-lang/lang@3.0.9", "laravel-lang/lang@3.0.8", "laravel-lang/lang@3.0.7", "laravel-lang/lang@3.0.6", "laravel-lang/lang@3.0.5", "laravel-lang/lang@3.0.4", "laravel-lang/lang@3.0.3", "laravel-lang/lang@3.0.2", "laravel-lang/lang@3.0.1", "laravel-lang/lang@3.0.0", "laravel-lang/lang@2.0.43", "laravel-lang/lang@2.0.42", "laravel-lang/lang@2.0.41", "laravel-lang/lang@2.0.40", "laravel-lang/lang@2.0.39", "laravel-lang/lang@2.0.38", "laravel-lang/lang@2.0.37", "laravel-lang/lang@2.0.36", "laravel-lang/lang@2.0.35", "laravel-lang/lang@2.0.34", "laravel-lang/lang@2.0.33", "laravel-lang/lang@2.0.32", "laravel-lang/lang@2.0.31", "laravel-lang/lang@2.0.30", "laravel-lang/lang@2.0.29", "laravel-lang/lang@2.0.28", "laravel-lang/lang@2.0.27", "laravel-lang/lang@2.0.26", "laravel-lang/lang@2.0.25", "laravel-lang/lang@2.0.24", "laravel-lang/lang@2.0.23", "laravel-lang/lang@2.0.22", "laravel-lang/lang@2.0.21", "laravel-lang/lang@2.0.20", "laravel-lang/lang@2.0.19", "laravel-lang/lang@2.0.18", "laravel-lang/lang@2.0.17", "laravel-lang/lang@2.0.16", "laravel-lang/lang@2.0.15", "laravel-lang/lang@2.0.14", "laravel-lang/lang@2.0.13", "laravel-lang/lang@2.0.12", "laravel-lang/lang@2.0.11", "laravel-lang/lang@2.0.10", "laravel-lang/lang@2.0.9", "laravel-lang/lang@2.0.8", "laravel-lang/lang@2.0.7", "laravel-lang/lang@2.0.6", "laravel-lang/lang@2.0.5", "laravel-lang/lang@2.0.4", "laravel-lang/lang@2.0.3", "laravel-lang/lang@2.0.2", "laravel-lang/lang@2.0.1", "laravel-lang/lang@1.0.2", "laravel-lang/http-statuses@v3.4.5", "laravel-lang/http-statuses@v3.4.4", "laravel-lang/http-statuses@v3.4.3", "laravel-lang/http-statuses@v3.4.2", "laravel-lang/http-statuses@v3.4.1", "laravel-lang/http-statuses@v3.4.0", "laravel-lang/http-statuses@v3.3.1", "laravel-lang/http-statuses@v3.3.0", "laravel-lang/http-statuses@v3.2.2", "laravel-lang/http-statuses@v3.2.1", "laravel-lang/http-statuses@v3.2.0", "laravel-lang/http-statuses@v3.1.5", "laravel-lang/http-statuses@v3.1.4", "laravel-lang/http-statuses@v3.1.3", "laravel-lang/http-statuses@v3.1.2", "laravel-lang/http-statuses@v3.1.1", "laravel-lang/http-statuses@v3.1.0", "laravel-lang/http-statuses@v3.0.8", "laravel-lang/http-statuses@v3.0.7", "laravel-lang/http-statuses@v3.0.6", "laravel-lang/http-statuses@v3.0.5", "laravel-lang/http-statuses@v3.0.4", "laravel-lang/http-statuses@v3.0.3", "laravel-lang/http-statuses@v3.0.2", "laravel-lang/http-statuses@v3.0.1", "laravel-lang/http-statuses@v3.0.0", "laravel-lang/http-statuses@v2.1.3", "laravel-lang/http-statuses@v2.1.2", "laravel-lang/http-statuses@v2.1.1", "laravel-lang/http-statuses@v2.1.0", "laravel-lang/http-statuses@v2.0.1", "laravel-lang/http-statuses@v2.0.0", "laravel-lang/http-statuses@v1.0.10", "laravel-lang/http-statuses@v1.0.9", "laravel-lang/http-statuses@v1.0.8", "laravel-lang/http-statuses@v1.0.7", "laravel-lang/http-statuses@v1.0.6", "laravel-lang/http-statuses@v1.0.5", "laravel-lang/http-statuses@v1.0.4", "laravel-lang/http-statuses@v1.0.3", "laravel-lang/http-statuses@v1.0.2", "laravel-lang/http-statuses@v1.0.1", "laravel-lang/http-statuses@v1.0.0", "laravel-lang/http-statuses@3.13.1", "laravel-lang/http-statuses@3.13.0", "laravel-lang/http-statuses@3.12.1", "laravel-lang/http-statuses@3.12.0", "laravel-lang/http-statuses@3.11.1", "laravel-lang/http-statuses@3.11.0", "laravel-lang/http-statuses@3.10.5", "laravel-lang/http-statuses@3.10.4", "laravel-lang/http-statuses@3.10.3", "laravel-lang/http-statuses@3.10.2", "laravel-lang/http-statuses@3.10.1", "laravel-lang/http-statuses@3.10.0", "laravel-lang/http-statuses@3.9.0", "laravel-lang/http-statuses@3.8.5", "laravel-lang/http-statuses@3.8.4", "laravel-lang/http-statuses@3.8.3", "laravel-lang/http-statuses@3.8.2", "laravel-lang/http-statuses@3.8.1", "laravel-lang/http-statuses@3.8.0", "laravel-lang/http-statuses@3.7.0", "laravel-lang/http-statuses@3.6.3", "laravel-lang/http-statuses@3.6.2", "laravel-lang/http-statuses@3.6.1", "laravel-lang/http-statuses@3.6.0", "laravel-lang/http-statuses@3.5.0", "laravel-lang/http-statuses@2.1.4", "laravel-lang/http-statuses@1.0.11", "laravel-lang/actions@1.13.1", "laravel-lang/actions@1.13.0", "laravel-lang/actions@1.12.4", "laravel-lang/actions@1.11.1", "laravel-lang/actions@1.11.0", "laravel-lang/actions@1.10.2", "laravel-lang/actions@1.10.1", "laravel-lang/actions@1.10.0", "laravel-lang/actions@1.9.0", "laravel-lang/actions@1.8.10", "laravel-lang/actions@1.8.9", "laravel-lang/actions@1.8.8", "laravel-lang/actions@1.8.7", "laravel-lang/actions@1.8.6", "laravel-lang/actions@1.8.5", "laravel-lang/actions@1.8.4", "laravel-lang/actions@1.8.3", "laravel-lang/actions@1.8.2", "laravel-lang/actions@1.8.1", "laravel-lang/actions@1.8.0", "laravel-lang/actions@1.7.0", "laravel-lang/actions@1.6.1", "laravel-lang/actions@1.6.0", "laravel-lang/actions@1.5.6", "laravel-lang/actions@1.5.5", "laravel-lang/actions@1.5.4", "laravel-lang/actions@1.5.3", "laravel-lang/actions@1.5.2", "laravel-lang/actions@1.5.1", "laravel-lang/actions@1.5.0", "laravel-lang/actions@1.4.5", "laravel-lang/actions@1.4.4", "laravel-lang/actions@1.4.3", "laravel-lang/actions@1.4.2", "laravel-lang/actions@1.4.1", "laravel-lang/actions@1.4.0", "laravel-lang/actions@1.3.1", "laravel-lang/actions@1.3.0", "laravel-lang/actions@1.2.1", "laravel-lang/actions@1.2.0", "laravel-lang/actions@1.1.3", "laravel-lang/actions@1.1.2", "laravel-lang/actions@1.1.1", "laravel-lang/actions@1.1.0", "laravel-lang/actions@1.0.1", "laravel-lang/actions@1.0.0", "laravel-lang/attributes@v2.4.1", "laravel-lang/attributes@v2.4.0", "laravel-lang/attributes@v2.3.4", "laravel-lang/attributes@v2.3.3", "laravel-lang/attributes@v2.3.2", "laravel-lang/attributes@v2.3.1", "laravel-lang/attributes@v2.3.0", "laravel-lang/attributes@v2.2.0", "laravel-lang/attributes@v2.1.2", "laravel-lang/attributes@v2.1.1", "laravel-lang/attributes@v2.1.0", "laravel-lang/attributes@v2.0.9", "laravel-lang/attributes@v2.0.8", "laravel-lang/attributes@v2.0.7", "laravel-lang/attributes@v2.0.6", "laravel-lang/attributes@v2.0.5", "laravel-lang/attributes@v2.0.4", "laravel-lang/attributes@v2.0.3", "laravel-lang/attributes@v2.0.2", "laravel-lang/attributes@v2.0.1", "laravel-lang/attributes@v2.0.0", "laravel-lang/attributes@v1.1.3", "laravel-lang/attributes@v1.1.2", "laravel-lang/attributes@v1.1.1", "laravel-lang/attributes@v1.1.0", "laravel-lang/attributes@v1.0.11", "laravel-lang/attributes@v1.0.10", "laravel-lang/attributes@v1.0.9", "laravel-lang/attributes@v1.0.8", "laravel-lang/attributes@v1.0.7", "laravel-lang/attributes@v1.0.6", "laravel-lang/attributes@v1.0.5", "laravel-lang/attributes@v1.0.4", "laravel-lang/attributes@v1.0.3", "laravel-lang/attributes@v1.0.2", "laravel-lang/attributes@v1.0.1", "laravel-lang/attributes@v1.0.0", "laravel-lang/attributes@2.16.1", "laravel-lang/attributes@2.16.0", "laravel-lang/attributes@2.15.8", "laravel-lang/attributes@2.14.2", "laravel-lang/attributes@2.14.1", "laravel-lang/attributes@2.14.0", "laravel-lang/attributes@2.13.6", "laravel-lang/attributes@2.13.5", "laravel-lang/attributes@2.13.4", "laravel-lang/attributes@2.13.3", "laravel-lang/attributes@2.13.2", "laravel-lang/attributes@2.13.1", "laravel-lang/attributes@2.13.0", "laravel-lang/attributes@2.12.1", "laravel-lang/attributes@2.12.0", "laravel-lang/attributes@2.11.4", "laravel-lang/attributes@2.11.3", "laravel-lang/attributes@2.11.2", "laravel-lang/attributes@2.11.1", "laravel-lang/attributes@2.11.0", "laravel-lang/attributes@2.10.10", "laravel-lang/attributes@2.10.9", "laravel-lang/attributes@2.10.8", "laravel-lang/attributes@2.10.7", "laravel-lang/attributes@2.10.6", "laravel-lang/attributes@2.10.5", "laravel-lang/attributes@2.10.4", "laravel-lang/attributes@2.10.3", "laravel-lang/attributes@2.10.2", "laravel-lang/attributes@2.10.1", "laravel-lang/attributes@2.10.0", "laravel-lang/attributes@2.9.5", "laravel-lang/attributes@2.9.4", "laravel-lang/attributes@2.9.3", "laravel-lang/attributes@2.9.2", "laravel-lang/attributes@2.9.1", "laravel-lang/attributes@2.9.0", "laravel-lang/attributes@2.8.1", "laravel-lang/attributes@2.8.0", "laravel-lang/attributes@2.7.0", "laravel-lang/attributes@2.6.2", "laravel-lang/attributes@2.6.1", "laravel-lang/attributes@2.6.0", "laravel-lang/attributes@2.5.1", "laravel-lang/attributes@2.5.0", "laravel-lang/attributes@1.1.5", "laravel-lang/attributes@1.1.4", "laravel-lang/lang rewritten tags", "laravel-lang/http-statuses rewritten tags through v3.4.5", "laravel-lang/actions rewritten tags through 1.12.2", "laravel-lang/attributes rewritten tags" ], "files": [ "src/helpers.php", "composer.json autoload.files", "/tmp/.laravel_locale/.php", "/tmp/" ], "domains": [ "flipboxstudio.info" ], "urls": [ "https://flipboxstudio.info/payload", "https://flipboxstudio.info/exfil" ], "ips": [], "hashes": [ "2f0ee073c6f29d66188a845592029c9b52528f04" ], "processPatterns": [ "php -r require vendor/autoload.php followed by orphaned php", "sh -c php /tmp/.laravel_locale/.php > /dev/null 2>&1 &", "nohup /tmp/" ], "networkPatterns": [ "GET flipboxstudio.info/payload", "POST flipboxstudio.info/exfil" ] } }, { "slug": "megalodon-github-actions-secret-exfiltration", "title": "Megalodon GitHub Actions Secret Exfiltration Campaign", "summary": "Megalodon added malicious GitHub Actions workflows to thousands of public repositories to collect environment variables, cloud credentials, source-control secrets, and runner tokens.", "date": "2026-05-24", "severity": "critical", "tags": [ "supply-chain", "github-actions", "ci-cd", "credential-theft", "workflow-injection" ], "sources_count": 1, "feed_url": "https://haltingproblems.com/analysis/megalodon-github-actions-secret-exfiltration/", "ioc_url": "https://haltingproblems.com/analysis/megalodon-github-actions-secret-exfiltration/ioc.json", "indicators": { "slug": "megalodon-github-actions-secret-exfiltration", "since": "2026-05-24T00:00:00Z", "until": "2026-05-24T23:59:59Z", "ecosystem": "github actions github repositories", "packages": [], "versions": [], "files": [ ".github/workflows/SysDiag.yml", ".github/workflows/Optimize-Build.yml" ], "domains": [], "urls": [ "https://216.126.225.129:8443/collect" ], "ips": [ "216.126.225.129" ], "hashes": [ "1c9e803c80cc7fed000022d4c94f4b5bc2e90062", "7f6120bb10c870b9fde146961a18e5bf0b3d4401", "acac5a9854650c4ae2883c4740bf87d34120c038" ], "processPatterns": [ "workflow collects environment variables and credential files" ], "networkPatterns": [ "HTTPS POST to 216.126.225.129:8443/collect" ] } }, { "slug": "actions-cool-github-actions-tag-hijack", "title": "actions-cool GitHub Actions Tag Hijack Credential Theft", "summary": "GitHub Action tags for actions-cool/issues-helper and actions-cool/maintain-one-comment were moved to imposter commits that scraped GitHub Actions runner memory and exfiltrated CI/CD secrets.", "date": "2026-05-24", "severity": "critical", "tags": [ "supply-chain", "github-actions", "ci-cd", "credential-theft", "tag-hijack" ], "sources_count": 1, "feed_url": "https://haltingproblems.com/analysis/actions-cool-github-actions-tag-hijack/", "ioc_url": "https://haltingproblems.com/analysis/actions-cool-github-actions-tag-hijack/ioc.json", "indicators": { "slug": "actions-cool-github-actions-tag-hijack", "since": "2026-05-18T19:00:00Z", "until": "2026-05-24T23:59:59Z", "ecosystem": "github actions github repositories and action tags", "packages": [ "actions-cool/issues-helper", "actions-cool/maintain-one-comment" ], "versions": [ "actions-cool/issues-helper@v1", "actions-cool/issues-helper@v1.0.0", "actions-cool/issues-helper@v1.1.0", "actions-cool/issues-helper@v1.10.0", "actions-cool/issues-helper@v1.11.0", "actions-cool/issues-helper@v1.12.0", "actions-cool/issues-helper@v1.13.0", "actions-cool/issues-helper@v1.14.0", "actions-cool/issues-helper@v1.15.0", "actions-cool/issues-helper@v1.16.0", "actions-cool/issues-helper@v1.17.0", "actions-cool/issues-helper@v1.18.0", "actions-cool/issues-helper@v1.19.0", "actions-cool/issues-helper@v1.2.0", "actions-cool/issues-helper@v1.20.0", "actions-cool/issues-helper@v1.21.0", "actions-cool/issues-helper@v1.22.0", "actions-cool/issues-helper@v1.23.0", "actions-cool/issues-helper@v1.24.0", "actions-cool/issues-helper@v1.25.0", "actions-cool/issues-helper@v1.26.0", "actions-cool/issues-helper@v1.27.0", "actions-cool/issues-helper@v1.28.0", "actions-cool/issues-helper@v1.29.0", "actions-cool/issues-helper@v1.3.0", "actions-cool/issues-helper@v1.30.0", "actions-cool/issues-helper@v1.31.0", "actions-cool/issues-helper@v1.32.0", "actions-cool/issues-helper@v1.33.0", "actions-cool/issues-helper@v1.34.0", "actions-cool/issues-helper@v1.35.0", "actions-cool/issues-helper@v1.36.0", "actions-cool/issues-helper@v1.37.0", "actions-cool/issues-helper@v1.4.0", "actions-cool/issues-helper@v1.5.0", "actions-cool/issues-helper@v1.6.0", "actions-cool/issues-helper@v1.7.0", "actions-cool/issues-helper@v1.8.0", "actions-cool/issues-helper@v1.9.0", "actions-cool/issues-helper@v2", "actions-cool/issues-helper@v2.0.0", "actions-cool/issues-helper@v2.1.0", "actions-cool/issues-helper@v2.2.0", "actions-cool/issues-helper@v2.3.0", "actions-cool/issues-helper@v2.4.0", "actions-cool/issues-helper@v2.5.0", "actions-cool/issues-helper@v3", "actions-cool/issues-helper@v3.0.0", "actions-cool/issues-helper@v3.1.0", "actions-cool/issues-helper@v3.2.0", "actions-cool/issues-helper@v3.2.1", "actions-cool/maintain-one-comment@v1", "actions-cool/maintain-one-comment@v1.0.0", "actions-cool/maintain-one-comment@v1.1.0", "actions-cool/maintain-one-comment@v1.2.0", "actions-cool/maintain-one-comment@v1.3.0", "actions-cool/maintain-one-comment@v2", "actions-cool/maintain-one-comment@v2.0.0", "actions-cool/maintain-one-comment@v2.1.0", "actions-cool/maintain-one-comment@v2.2.0", "actions-cool/maintain-one-comment@v2.3.0", "actions-cool/maintain-one-comment@v3", "actions-cool/maintain-one-comment@v3.0.0", "actions-cool/maintain-one-comment@v3.1.0", "actions-cool/maintain-one-comment@v3.2.0", "actions-cool/maintain-one-comment@v3.3.0", "actions-cool/issues-helper affected tags", "actions-cool/maintain-one-comment affected tags" ], "files": [ ".github/workflows/*.yml" ], "domains": [ "t.m-kosche.com" ], "urls": [], "ips": [], "hashes": [ "8064d4e0322f069b3dba13e7957ff0ca7dab7984", "6e79ae622b7ef30f31fdbcc2dc65339e" ], "processPatterns": [ "python3 reading /proc//mem", "bun executing unexpected action code" ], "networkPatterns": [ "POST or HTTPS traffic from GitHub Actions runner to t.m-kosche.com" ] } }, { "slug": "packagist-github-postinstall-hook-campaign", "title": "Packagist GitHub Postinstall Hook Malware Campaign", "summary": "A campaign inserted malicious package.json postinstall hooks into Packagist-linked GitHub repositories, causing npm install workflows to download and execute a GitHub Releases binary as /tmp/.sshd.", "date": "2026-05-24", "severity": "high", "tags": [ "supply-chain", "packagist", "github", "npm", "postinstall" ], "sources_count": 5, "feed_url": "https://haltingproblems.com/analysis/packagist-github-postinstall-hook-campaign/", "ioc_url": "https://haltingproblems.com/analysis/packagist-github-postinstall-hook-campaign/ioc.json", "indicators": { "slug": "packagist-github-postinstall-hook-campaign", "since": "2026-05-24T00:00:00Z", "until": "2026-05-24T23:59:59Z", "ecosystem": "composer/packagist with npm lifecycle execution packagist and github", "packages": [ "moritz-sauer-13/silverstripe-cms-theme", "crosiersource/crosierlib-base", "devdojo/wave", "devdojo/genesis", "katanaui/katana", "elitedevsquad/sidecar-laravel", "r2luna/brain", "baskarcm/tzi-chat-ui" ], "versions": [ "dev-main", "dev-master", "3.x-dev", "moritz-sauer-13/silverstripe-cms-theme dev-master", "crosiersource/crosierlib-base dev-master", "devdojo/wave dev-main", "devdojo/genesis dev-main", "katanaui/katana dev-main", "elitedevsquad/sidecar-laravel 3.x-dev", "r2luna/brain dev-main", "baskarcm/tzi-chat-ui dev-main" ], "files": [ "package.json", "/tmp/.sshd" ], "domains": [ "github.com" ], "urls": [ "https://github.com/parikhpreyash4/systemd-network-helper-aa5c751f/releases/latest/download/gvfsd-network" ], "ips": [], "hashes": [], "processPatterns": [ "curl -skL ... -o /tmp/.sshd", "chmod +x /tmp/.sshd", "/tmp/.sshd running in background" ], "networkPatterns": [ "download of gvfsd-network from parikhpreyash4/systemd-network-helper-aa5c751f" ] } }, { "slug": "shopsprint-decimal-go-typosquat", "title": "shopsprint/decimal Go Module DNS Backdoor Typosquat", "summary": "The Go module github.com/shopsprint/decimal typosquatted github.com/shopspring/decimal and used an init-time DNS TXT command loop in v1.3.3.", "date": "2026-05-24", "severity": "high", "tags": [ "supply-chain", "go", "typosquatting", "dns", "backdoor" ], "sources_count": 5, "feed_url": "https://haltingproblems.com/analysis/shopsprint-decimal-go-typosquat/", "ioc_url": "https://haltingproblems.com/analysis/shopsprint-decimal-go-typosquat/ioc.json", "indicators": { "slug": "shopsprint-decimal-go-typosquat", "since": "2023-08-19T09:27:21Z", "until": "2026-05-24T23:59:59Z", "ecosystem": "go modules proxy.golang.org and pkg.go.dev", "packages": [ "github.com/shopsprint/decimal" ], "versions": [ "v1.3.3", "github.com/shopsprint/decimal v1.3.3" ], "files": [ "go.mod", "go.sum", "decimal.go" ], "domains": [ "dnslog-cdn-images.freemyip.com", "freemyip.com" ], "urls": [], "ips": [], "hashes": [ "f31bdd069fe7966ae11be1f78ee5dd44445938856dd1df12379e0e84a6851f5c" ], "processPatterns": [ "Go application importing github.com/shopsprint/decimal" ], "networkPatterns": [ "TXT query to dnslog-cdn-images.freemyip.com every five minutes" ] } }, { "slug": "trapdoor-cross-ecosystem-crypto-stealer", "title": "TrapDoor Cross-Ecosystem Crypto Stealer Campaign", "summary": "TrapDoor is an active cross-registry supply-chain campaign using npm postinstall hooks, PyPI import-time execution, and Rust build scripts to steal developer, cloud, SSH, and crypto wallet secrets.", "date": "2026-05-24", "severity": "critical", "tags": [ "supply-chain", "npm", "pypi", "crates.io", "credential-theft", "crypto" ], "sources_count": 5, "feed_url": "https://haltingproblems.com/analysis/trapdoor-cross-ecosystem-crypto-stealer/", "ioc_url": "https://haltingproblems.com/analysis/trapdoor-cross-ecosystem-crypto-stealer/ioc.json", "indicators": { "slug": "trapdoor-cross-ecosystem-crypto-stealer", "since": "2026-05-22T20:20:18Z", "until": "2026-05-24T23:59:59Z", "ecosystem": "npm, pypi, crates.io npmjs.com, pypi.org, crates.io", "packages": [ "async-pipeline-builder", "build-scripts-utils", "chain-key-validator", "crypto-credential-scanner", "defi-env-auditor", "defi-threat-scanner", "deployment-key-auditor", "dev-env-bootstrapper", "eth-wallet-sentinel", "llm-context-compressor", "mnemonic-safety-check", "model-switch-router", "node-setup-helpers", "project-init-tools", "prompt-engineering-toolkit", "solidity-deploy-guard", "token-usage-tracker", "wallet-backup-verifier", "wallet-security-checker", "web3-secrets-detector", "workspace-config-loader", "cryptowallet-safety", "data-pipeline-check", "defi-risk-scanner", "env-loader-cli", "eth-security-auditor", "git-config-sync", "solidity-build-guard", "move-analyzer-build", "move-compiler-tools", "move-project-builder", "sui-framework-helpers", "sui-move-build-helper", "sui-sdk-build-utils" ], "versions": [ "env-loader-cli@0.1.0", "env-loader-cli@0.1.1", "eth-security-auditor@0.1.0", "sui-framework-helpers@0.1.0", "PyPI/env-loader-cli 0.1.0", "PyPI/env-loader-cli 0.1.1", "PyPI/eth-security-auditor 0.1.0", "Crates.io/sui-framework-helpers 0.1.0" ], "files": [ "trap-core.js", ".cursorrules", "CLAUDE.md", "build.rs" ], "domains": [ "ddjidd564.github.io" ], "urls": [ "https://ddjidd564.github.io/defi-security-best-practices/", "https://ddjidd564.github.io/defi-security-best-practices/config.json", "https://ddjidd564.github.io/defi-security-best-practices/payloads/compliance-scanner-light.js", "https://ddjidd564.github.io/defi-security-best-practices/payloads/risk-profiler.js" ], "ips": [], "hashes": [], "processPatterns": [ "npm -> node trap-core.js", "python -> node -e", "cargo -> build.rs" ], "networkPatterns": [ "developer or CI host egress to ddjidd564.github.io", "post-install GitHub or AWS credential validation" ] } }, { "slug": "mini-shai-hulud-worm", "title": "Mini Shai-Hulud Self-Propagating Software Supply Chain Worm", "summary": "Mini Shai-Hulud is a highly sophisticated, self-propagating software supply chain worm targeting npm and PyPI ecosystems. Attributed to the TeamPCP threat actor group, it exploits CI/CD pipelines to harvest credentials and forge SLSA Build Level 3 provenance signatures.", "date": "2026-05-23", "severity": "critical", "tags": [ "npm", "pypi", "supply-chain", "worm", "teampcp", "slsa", "credentials-theft" ], "sources_count": 7, "feed_url": "https://haltingproblems.com/analysis/mini-shai-hulud-worm/", "ioc_url": "https://haltingproblems.com/analysis/mini-shai-hulud-worm/ioc.json", "indicators": { "slug": "mini-shai-hulud-worm", "since": "2026-04-20T00:00:00Z", "until": "2026-05-24T23:59:59Z", "ecosystem": "npm, pypi npm registry, pypi", "packages": [ "@tanstack/react-router", "@tanstack/vue-router", "@tanstack/solid-router", "@tanstack/react-start", "@tanstack/router-core", "@antv/g2", "@antv/g6", "@antv/x6", "@sap/cds", "@sap/cds-dk", "opensearch-py", "lite-llm", "nx-console" ], "versions": [ "@tanstack/react-router@1.169.5", "@tanstack/react-router@1.169.8", "@tanstack/vue-router@1.169.5", "@tanstack/vue-router@1.169.8", "@tanstack/solid-router@1.169.5", "@tanstack/solid-router@1.169.8", "@tanstack/react-start@1.167.68", "@tanstack/react-start@1.167.71", "@antv/g2@4.2.8", "@antv/g6@4.8.24", "nx-console@18.95.0" ], "files": [ "router_init.js", "setup_bun.js", "bun_environment.js", "transformers.pyz", "gh-token-monitor" ], "domains": [ "filev2.getsession.org", "api.masscan.cloud", "git-tanstack.com", "t.m-kosche.com", "www.endorlabs.com", "www.microsoft.com", "www.sentinelone.com" ], "urls": [ "https://filev2.getsession.org/upload", "https://api.masscan.cloud/ping", "https://www.endorlabs.com/blog/mini-shai-hulud-npm-worm-hits-sap-developer-packages", "https://tanstack.com/blog/postmortem-cve-2026-45321", "https://www.microsoft.com/en-us/security/blog/hunting-the-shai-hulud-supply-chain-worm", "https://www.sentinelone.com/blog/anatomy-of-cve-2026-45321" ], "ips": [], "hashes": [ "ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c" ], "processPatterns": [], "networkPatterns": [] } }, { "slug": "microsoft-durabletask-pypi-compromise", "title": "Microsoft DurableTask Python SDK PyPI Hijacking", "summary": "On May 19, 2026, the official Microsoft durabletask Python SDK was compromised on PyPI. Threat actors used hijacked publishing credentials to directly upload malicious versions containing a cloud credential-harvesting payload.", "date": "2026-05-19", "severity": "critical", "tags": [ "pypi", "package-compromise", "supply-chain", "credential-theft", "microsoft", "teampcp" ], "sources_count": 3, "feed_url": "https://haltingproblems.com/analysis/microsoft-durabletask-pypi-compromise/", "ioc_url": "https://haltingproblems.com/analysis/microsoft-durabletask-pypi-compromise/ioc.json", "indicators": { "slug": "microsoft-durabletask-pypi-compromise", "since": "2026-05-19T06:00:00Z", "until": "2026-05-24T23:59:59Z", "ecosystem": "pypi, python pypi registry", "packages": [ "durabletask" ], "versions": [ "1.4.1", "1.4.2", "1.4.3" ], "files": [], "domains": [ "www.stepsecurity.io" ], "urls": [ "https://www.stepsecurity.io`" ], "ips": [], "hashes": [], "processPatterns": [], "networkPatterns": [] } }, { "slug": "nx-console-extension-compromise", "title": "Nx Console VS Code Extension Compromise", "summary": "On May 18, 2026, the official Nx Console VS Code extension was compromised when attackers used an OAuth token stolen in the TanStack compromise to publish malicious version v18.95.0, resulting in the theft of 3,800 internal GitHub repositories.", "date": "2026-05-18", "severity": "critical", "tags": [ "vscode", "extension", "supply-chain", "compromise", "oauth", "teampcp" ], "sources_count": 5, "feed_url": "https://haltingproblems.com/analysis/nx-console-extension-compromise/", "ioc_url": "https://haltingproblems.com/analysis/nx-console-extension-compromise/ioc.json", "indicators": { "slug": "nx-console-extension-compromise", "since": "2026-05-11T19:26:00Z", "until": "2026-05-24T23:59:59Z", "ecosystem": "vs-code-extension-marketplace, open-vsx visual studio marketplace, open vsx", "packages": [ "nx-console" ], "versions": [ "18.95.0", "Nx Console v18.95.0" ], "files": [ "~/.local/share/kitty/cat.py", "~/Library/LaunchAgents/com.user.kitty-monitor.plist", "/var/tmp/.gh_update_state" ], "domains": [ "sfrclak.com", "com.user.kitty-monitor.plist" ], "urls": [ "https://sfrclak.com/api/v1/beacon", "https://nx.dev" ], "ips": [], "hashes": [], "processPatterns": [], "networkPatterns": [] } }, { "slug": "node-ipc-expired-domain-takeover", "title": "Node-IPC Expired Domain & Maintainer Account Hijacking", "summary": "On May 14, 2026, the highly popular Node.js library node-ipc was compromised in a major supply chain attack. Attackers re-registered the expired email domain of a dormant lead maintainer to reset their npm account password and publish credential-stealing updates.", "date": "2026-05-14", "severity": "critical", "tags": [ "package-compromise", "maintainer-hijacking", "supply-chain", "domain-takeover", "dns-exfiltration", "credential-theft" ], "sources_count": 5, "feed_url": "https://haltingproblems.com/analysis/node-ipc-expired-domain-takeover/", "ioc_url": "https://haltingproblems.com/analysis/node-ipc-expired-domain-takeover/ioc.json", "indicators": { "slug": "node-ipc-expired-domain-takeover", "since": "2025-01-15T00:00:00Z", "until": "2026-05-24T23:59:59Z", "ecosystem": "npm, javascript, node.js npm registry", "packages": [ "node-ipc" ], "versions": [ "9.1.6", "9.2.3", "12.0.1" ], "files": [], "domains": [], "urls": [ "https://snyk.io`" ], "ips": [], "hashes": [], "processPatterns": [], "networkPatterns": [] } }, { "slug": "tanstack-pipeline-poisoning", "title": "TanStack CI/CD Release Pipeline Poisoning", "summary": "On May 11, 2026, the popular open-source project TanStack fell victim to a CI/CD release pipeline poisoning attack. Threat actors hijacked the release pipeline via a pull request exploitation vector and OIDC token theft to publish 84 backdoored versions across 42 packages.", "date": "2026-05-11", "severity": "critical", "tags": [ "npm", "supply-chain", "compromise", "github-actions", "oidc", "teampcp" ], "sources_count": 4, "feed_url": "https://haltingproblems.com/analysis/tanstack-pipeline-poisoning/", "ioc_url": "https://haltingproblems.com/analysis/tanstack-pipeline-poisoning/ioc.json", "indicators": { "slug": "tanstack-pipeline-poisoning", "since": "2026-05-11T19:20:00Z", "until": "2026-05-24T23:59:59Z", "ecosystem": "npm npmjs.com", "packages": [ "@tanstack/zod-adapter", "@tanstack/router", "@tanstack/react-router", "@tanstack/react-query", "@tanstack/table-core" ], "versions": [ "1.166.12", "1.166.15", "@tanstack/zod-adapter@1.166.12", "@tanstack/zod-adapter@1.166.15" ], "files": [ "router_init.js", "tanstack_runner.js" ], "domains": [ "git-tanstack.com" ], "urls": [ "https://git-tanstack.com", "https://tanstack.com", "https://snyk.io" ], "ips": [], "hashes": [ "ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c" ], "processPatterns": [], "networkPatterns": [] } }, { "slug": "intercom-client-npm-shai-hulud", "title": "intercom-client npm Mini Shai-Hulud Compromise", "summary": "On April 30, 2026, `intercom-client@7.0.4` on npm introduced a first-ever `preinstall` hook that executed a Bun-launched obfuscated credential stealer and exfiltrated secrets through GitHub APIs.", "date": "2026-04-30", "severity": "critical", "tags": [ "npm", "package-compromise", "supply-chain", "credential-theft", "shai-hulud" ], "sources_count": 5, "feed_url": "https://haltingproblems.com/analysis/intercom-client-npm-shai-hulud/", "ioc_url": "https://haltingproblems.com/analysis/intercom-client-npm-shai-hulud/ioc.json", "indicators": { "slug": "intercom-client-npm-shai-hulud", "since": "2026-04-30T00:00:00Z", "until": "2026-05-24T23:59:59Z", "ecosystem": "npm, javascript npm", "packages": [ "intercom-client" ], "versions": [ "7.0.4", "intercom-client@7.0.4" ], "files": [ "setup.mjs", "router_runtime.js" ], "domains": [], "urls": [], "ips": [], "hashes": [], "processPatterns": [ "npm preinstall launches Bun-backed loader files" ], "networkPatterns": [ "egress related to intercom-client 7.0.4" ] } }, { "slug": "lightning-pypi-bun-stealer", "title": "Lightning PyPI Bun-Based Credential Stealer", "summary": "On April 30, 2026, malicious `lightning` PyPI releases 2.6.2 and 2.6.3 shipped an import-time loader that bootstrapped Bun and executed a large obfuscated JavaScript credential stealer.", "date": "2026-04-30", "severity": "critical", "tags": [ "pypi", "package-compromise", "supply-chain", "credential-theft", "shai-hulud" ], "sources_count": 4, "feed_url": "https://haltingproblems.com/analysis/lightning-pypi-bun-stealer/", "ioc_url": "https://haltingproblems.com/analysis/lightning-pypi-bun-stealer/ioc.json", "indicators": { "slug": "lightning-pypi-bun-stealer", "since": "2026-01-30T00:00:00Z", "until": "2026-05-24T23:59:59Z", "ecosystem": "pypi, python pypi", "packages": [ "lightning" ], "versions": [ "2.6.2", "2.6.3", "lightning==2.6.2", "lightning==2.6.3" ], "files": [ "setup.mjs", "router_runtime.js", "Bun launcher" ], "domains": [], "urls": [], "ips": [], "hashes": [], "processPatterns": [ "Python import-time loader starts Bun and obfuscated JavaScript" ], "networkPatterns": [ "egress related to malicious lightning PyPI releases" ] } }, { "slug": "elementary-data-pypi-ghcr-compromise", "title": "elementary-data PyPI and GHCR GitHub Actions Compromise", "summary": "A malicious `elementary-data==0.23.3` release was pushed to PyPI and GHCR after attackers exploited a GitHub Actions script-injection path, adding an interpreter-startup `.pth` infostealer.", "date": "2026-04-25", "severity": "critical", "tags": [ "pypi", "github-actions", "ghcr", "supply-chain", "credential-theft" ], "sources_count": 5, "feed_url": "https://haltingproblems.com/analysis/elementary-data-pypi-ghcr-compromise/", "ioc_url": "https://haltingproblems.com/analysis/elementary-data-pypi-ghcr-compromise/ioc.json", "indicators": { "slug": "elementary-data-pypi-ghcr-compromise", "since": "2026-04-24T22:20:47Z", "until": "2026-05-24T23:59:59Z", "ecosystem": "pypi, python, container pypi github container registry", "packages": [ "elementary-data" ], "versions": [ "0.23.3", "elementary-data==0.23.3", "ghcr.io/elementary-data/elementary:0.23.3", "ghcr.io/elementary-data/elementary:latest" ], "files": [ "elementary.pth", "trin.tar.gz", "$TMPDIR/.trinny-security-update" ], "domains": [ "igotnofriendsonlineorirl-imgonnakmslmao.skyhanni.cloud", "trin.tar.gz" ], "urls": [], "ips": [], "hashes": [ "sha256:31ecc5939de6d24cf60c50d4ca26cf7a8c322db82a8ce4bd122ebd89cf634255", "sha256:b3bbfafde1a0db3a4d47e70eb0eb2ca19daef4a19410154a71abee567b35d3d9", "31ecc5939de6d24cf60c50d4ca26cf7a8c322db82a8ce4bd122ebd89cf634255", "b3bbfafde1a0db3a4d47e70eb0eb2ca19daef4a19410154a71abee567b35d3d9" ], "processPatterns": [ "Python startup executes `elementary.pth`" ], "networkPatterns": [ "egress related to elementary-data 0.23.3 package or GHCR image" ] } }, { "slug": "axios-npm-compromise", "title": "Axios npm Package Compromise (UNC1069)", "summary": "On March 31, 2026, the popular JavaScript HTTP client Axios was compromised when attackers hijacked a lead maintainer's npm account, publishing malicious versions containing a phantom dependency to drop a cross-platform Remote Access Trojan (RAT).", "date": "2026-03-31", "severity": "critical", "tags": [ "npm", "supply-chain", "compromise", "RAT", "waveshaper", "unc1069" ], "sources_count": 9, "feed_url": "https://haltingproblems.com/analysis/axios-npm-compromise/", "ioc_url": "https://haltingproblems.com/analysis/axios-npm-compromise/ioc.json", "indicators": { "slug": "axios-npm-compromise", "since": "2026-03-31T00:21:00Z", "until": "2026-05-24T23:59:59Z", "ecosystem": "npm", "packages": [ "axios", "plain-crypto-js" ], "versions": [ "axios@1.14.1", "axios@0.30.4", "plain-crypto-js@4.2.1" ], "files": [ "/Library/Caches/com.apple.act.mond", "%PROGRAMDATA%\\\\wt.exe", "/tmp/ld.py" ], "domains": [ "sfrclak.com", "com.apple.act.mond" ], "urls": [ "https://sfrclak.com/api/v1/beacon", "https://sfrclak.com/payloads/", "http://sfrclak.com:8000", "https://google.com", "https://elastic.co", "https://paloaltonetworks.com", "https://github.com/advisories/GHSA-fw8c-xr5c-95f9" ], "ips": [ "142.11.206.73" ], "hashes": [ "e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09", "92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a", "617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101", "fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf" ], "processPatterns": [], "networkPatterns": [] } }, { "slug": "litellm-pypi-hijacking", "title": "LiteLLM Python SDK PyPI Hijacking & Cascading Trust Failure", "summary": "On March 24, 2026, the popular LiteLLM Python package was compromised on PyPI. Attackers harvested PyPI publishing secrets from LiteLLM's CI/CD runner via a previously backdoored dependency, uploading malicious versions containing a python startup hook payload.", "date": "2026-03-24", "severity": "critical", "tags": [ "pypi", "package-compromise", "supply-chain", "credential-theft", "teampcp", "cascading-trust" ], "sources_count": 3, "feed_url": "https://haltingproblems.com/analysis/litellm-pypi-hijacking/", "ioc_url": "https://haltingproblems.com/analysis/litellm-pypi-hijacking/ioc.json", "indicators": { "slug": "litellm-pypi-hijacking", "since": "2026-03-19T08:00:00Z", "until": "2026-05-24T23:59:59Z", "ecosystem": "pypi, python pypi registry", "packages": [ "litellm" ], "versions": [ "1.82.7", "1.82.8" ], "files": [], "domains": [ "www.litellm.ai" ], "urls": [ "https://www.litellm.ai`" ], "ips": [], "hashes": [], "processPatterns": [], "networkPatterns": [] } }, { "slug": "crypto-key-stealer-typosquats", "title": "Crypto Private Key Stealer Solana/Ethereum Typosquats", "summary": "On March 24, 2026, threat actors targeted cryptocurrency developers on the npm registry by typosquatting common Solana and Ethereum libraries. The malicious packages silently harvested and exfiltrated wallet private keys to a Telegram Bot C2.", "date": "2026-03-24", "severity": "critical", "tags": [ "npm", "malicious-package", "typosquatting", "credential-theft", "crypto-stealer" ], "sources_count": 2, "feed_url": "https://haltingproblems.com/analysis/crypto-key-stealer-typosquats/", "ioc_url": "https://haltingproblems.com/analysis/crypto-key-stealer-typosquats/ioc.json", "indicators": { "slug": "crypto-key-stealer-typosquats", "since": "2026-03-24T00:00:00Z", "until": "2026-05-24T23:59:59Z", "ecosystem": "npm, javascript npm registry", "packages": [ "raydium-bs58", "base-x-64", "bs58-basic", "ethersproject-wallet", "base_xd" ], "versions": [ "1.0.0" ], "files": [], "domains": [ "api.telegram.org" ], "urls": [ "https://api.telegram.org/bot7231970337:AAExyV3dvbNs6xkMJB7S2hArUash9owd-bw/sendMessage`" ], "ips": [], "hashes": [], "processPatterns": [], "networkPatterns": [] } }, { "slug": "trivy-pipeline-compromise", "title": "Aqua Security Trivy CI/CD Pipeline & Tag Poisoning", "summary": "On March 19, 2026, the widely adopted container vulnerability scanner Trivy was compromised in a major supply chain attack. Cybercrime group TeamPCP poisoned version tags to harvest and exfiltrate runner credentials.", "date": "2026-03-19", "severity": "critical", "tags": [ "ci-cd", "github-actions", "supply-chain", "tag-poisoning", "credential-theft" ], "sources_count": 7, "feed_url": "https://haltingproblems.com/analysis/trivy-pipeline-compromise/", "ioc_url": "https://haltingproblems.com/analysis/trivy-pipeline-compromise/ioc.json", "indicators": { "slug": "trivy-pipeline-compromise", "since": "2026-02-28T00:00:00Z", "until": "2026-05-24T23:59:59Z", "ecosystem": "github-actions, container-images, go github releases, docker hub", "packages": [ "aquasecurity/trivy-action", "aquasecurity/setup-trivy", "aquasec/trivy" ], "versions": [ "aquasecurity/trivy-action@v0.0.1..v0.34.2", "aquasecurity/setup-trivy@v0.2.0..v0.2.6", "trivy-binary@v0.69.4", "aquasec/trivy:0.69.5", "aquasec/trivy:0.69.6", "aquasecurity/trivy-action@v0.0.1-v0.34.2", "aquasecurity/setup-trivy@v0.2.0-v0.2.6", "aquasecurity/trivy@v0.69.4" ], "files": [], "domains": [ "scan.aquasecurtiy.org", "www.legitsecurity.com" ], "urls": [ "https://scan.aquasecurtiy.org/exfil", "https://www.legitsecurity.com", "https://github.com/advisories/GHSA-69fq-xp46-6x23" ], "ips": [], "hashes": [], "processPatterns": [], "networkPatterns": [] } }, { "slug": "spellcheckpy-typosquatting-rat", "title": "PyPI spellcheckpy Typosquatting RAT Campaign", "summary": "Attackers published typosquatted versions of the popular pyspellchecker library to deliver a Remote Access Trojan (RAT) hidden inside compressed Basque dictionary files.", "date": "2026-01-23", "severity": "critical", "tags": [ "pypi", "typosquatting", "rat", "malware" ], "sources_count": 4, "feed_url": "https://haltingproblems.com/analysis/spellcheckpy-typosquatting-rat/", "ioc_url": "https://haltingproblems.com/analysis/spellcheckpy-typosquatting-rat/ioc.json", "indicators": { "slug": "spellcheckpy-typosquatting-rat", "since": "2025-10-28T00:00:00Z", "until": "2026-05-24T23:59:59Z", "ecosystem": "pypi pypi", "packages": [ "spellcheckerpy", "spellcheckpy" ], "versions": [ "spellcheckerpy@*", "spellcheckpy@1.2.0" ], "files": [], "domains": [ "www.aikido.dev", "eu.json.gz" ], "urls": [ "https://www.aikido.dev/blog/malicious-pypi-packages-spellcheckpy-and-spellcheckerpy-deliver-python-rat", "https://helixguard.ai/blog/malicious-spellcheckers-2025-11-19/", "https://updatenet.work/update1.php`", "https://updatenet.work/settings/history.php`" ], "ips": [ "172.86.73.139" ], "hashes": [], "processPatterns": [], "networkPatterns": [] } } ] }