Supply-Chain on HackingPassion.com : root@HackingPassion.com-[~]

Bitwarden CLI Backdoored on npm for 93 Minutes

Fri, 24 Apr 2026 11:30:31 +0200

Bitwarden’s CLI was backdoored and pushed to npm on April 22, 2026. It was live for 93 minutes. Every developer who installed it during that window has to treat their entire machine as compromised. GitHub tokens, SSH keys, AWS credentials, cloud secrets. All of it.

If you followed the Shai-Hulud story back in November 2025, this will sound familiar. That attack spread through npm and hit packages from Zapier, Postman, PostHog, and hundreds of others. 132 million monthly downloads affected. Stolen credentials dumped into public GitHub repositories for anyone to find. This new attack names itself Shai-Hulud: The Third Coming, after the giant sandworms from Frank Herbert’s Dune. The irony is that this third wave specifically targets AI tools.

PHP Composer Command Injection CVE-2026-40261

Wed, 15 Apr 2026 10:38:02 +0200

PHP Composer Has Two Flaws That Run Arbitrary Commands on Developer Machines PHP Composer, the package manager that almost every PHP developer uses to build websites and applications, has two serious vulnerabilities that allow an attacker to run arbitrary commands on any machine running a vulnerable version. Neither one requires Perforce to be installed, configured, or even known about. Patches came out on April 14, 2026, and many environments will still be running vulnerable versions. 😏

Axios npm Supply Chain Attack: How a Fake Meeting Compromised 100 Million Downloads

Sat, 04 Apr 2026 13:50:24 +0200

Axios, the JavaScript library with over 100 million weekly downloads, was compromised on March 31st. For roughly three hours, every fresh install of those two versions silently dropped a remote access trojan on the machine that ran it. Windows, macOS, and Linux, all targeted. The installation completed normally, nothing flagged the change, and the backdoor was already running by the time the command finished. 😏

Axios is a JavaScript HTTP client that developers use to send web requests from their applications. It ships inside frontend frameworks, backend services, mobile apps, and CI/CD pipelines, and if a company runs Node.js anywhere in their stack, Axios is almost certainly somewhere in that dependency tree. That is what made this attack so significant.

MaliciousCorgi: The VSCode Attack Hiding in Plain Sight - 1.5 Million Installs Affected

Sun, 25 Jan 2026 11:40:27 +0100

Two VSCode extensions with 1.5 million installs are stealing source code right now, not last month. Researchers published their findings on January 22. Three days later, both extensions are still live on Microsoft’s official marketplace. Still collecting downloads. Still harvesting files. 🧐

The extensions are ChatGPT - 中文版 with 1.34 million installs and ChatMoss with 150,000 installs. Both marketed as AI coding assistants. Both work as advertised. Both contain identical spyware that sends everything to servers in China. Researchers named the campaign MaliciousCorgi.

Fake SymPy Package Deploys Fileless Cryptominer on Linux Systems

Thu, 22 Jan 2026 13:32:48 +0100

A fake SymPy package deploys XMRig cryptominers on Linux machines. The malware hides inside polynomial functions. It only activates when you do math. Over 1,000 downloads in day one. Still live on PyPI. The real SymPy has 85 million downloads per month. That is the target size. 🧐

Socket’s Threat Research Team found this on January 21, 2026. The attacker copied SymPy’s entire project description and branding, then uploaded it under a name that looks like a development build. Developers searching for SymPy or copy-pasting requirements might grab the wrong package without noticing.